CVE-2020-22083

Published
View on NVD ↗
CVSS v3
9.8
CRITICAL
CVSS v2
7.5
HIGH
Affected
2
PROJECTS

Description

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data

jsonpickle/jsonpickle
jsonpickle/jsonpickle
Python library for serializing any arbitrary object graph into JSON. It can take almost any Python object and turn the object into JSON. Additionally, it can reconstitute the object back into Python.
GitHubGitHub
1.32K
j0lt-github/python-deserialization-attack-payload-generator
j0lt-github/python-deserialization-attack-payload-generator
Peas create serialized payload for deserialization RCE attack on python driven applications where pickle ,pyYAML, ruamel.yaml or jsonpickle module is used for deserialization of serialized data. I will update it with more attack vectors to targets other modules.
GitHubGitHub
132