Lucene search

Veracode Vulnerability DatabaseVERACODE:43809

HistoryOct 13, 2023 - 5:27 a.m.

Deserialization Of Untrusted Data

2023-10-1305:27:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

vantage6

pickle

serialization

deserialization

data manipulation

injection

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

33.4%

JSON

vantage6 is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the library’s use of the insecure pickle library which is used serialization for deserializing data, enabling an attacker to manipulate the serialized data by injecting malicious code.

CPENameOperatorVersion
vantage6-clientle3.11.1
vantage6-nodele3.11.1
vantage6-clientle3.11.1
vantage6-nodele3.11.1

Name	Operator	Version
vantage6-client	le	3.11.1
vantage6-node	le	3.11.1
vantage6-client	le	3.11.1
vantage6-node	le	3.11.1

References

github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400

github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0

github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6

medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

33.4%

JSON

Related for VERACODE:43809