24 matches found
Picklescan has Incomplete List of Disallowed Inputs
Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...
GHSA-84R2-JW7C-4R5Q Picklescan has Incomplete List of Disallowed Inputs
Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...
PT-2026-50451
Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.33 Description An incomplete deny-list fails to block the pydoc.locate and operator.methodcaller functions. This allows remote attackers to bypass security checks by crafting malicious pickle files. The...
Internet Bug Bounty: use of uninitialized variables in operator.methodcaller
I described this vulnerability in detail in a mail to the PSRT. A copy of my email, plus the fix for this issue, can be found here: https://bugs.python.org/issue27783...