Lucene search

K

[email protected]NVD:CVE-2022-35411

HistoryJul 08, 2022 - 7:15 p.m.

CVE-2022-35411

2022-07-0819:15:08

CWE-522

[email protected]

web.nvd.nist.gov

1

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.111 Low

EPSS

Percentile

95.2%

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the “serializer: pickle” HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Affected configurations

NVD

Node

rpc.py_projectrpc.pyRange0.4.2–0.6.0

References

packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html

github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd

github.com/ehtec/rpcpy-exploit

medium.com/%40elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.111 Low

EPSS

Percentile

95.2%

Related for NVD:CVE-2022-35411

githubexploit1 checkpoint_advisories1 osv2 zdt1 packetstorm1 cvelist1 cve1 veracode1 prion1 github1 exploitdb1