760687 – (CVE-2020-22083) dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)

Bug 760687 (CVE-2020-22083) - dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)

Summary: dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)

Status:	RESOLVED INVALID

Alias:	CVE-2020-22083

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://github.com/jsonpickle/jsonpic...
Whiteboard:	B1 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2020-12-19 02:54 UTC by John Helmert III
Modified:	2020-12-19 11:24 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-12-19 02:54:56 UTC

CVE-2020-22083 (https://github.com/jsonpickle/jsonpickle/issues/332):

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.


Contrary to the CVE description I've tested 1.4.2 and it's vulnerable too.  Unfortunately upstream doesn't think this is an issue and just suggests only deserializing trusted data.

Comment 1 Michał Górny archtester

2020-12-19 08:43:41 UTC

So what am I supposed to do about it?

Comment 2 John Helmert III archtester

2020-12-19 08:52:02 UTC

(In reply to Michał Górny from comment #1)
> So what am I supposed to do about it?

Nothing for you to do that I can see

Comment 3 Sam James archtester

2020-12-19 11:24:51 UTC

In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers.