CVE-2022-35411
N/A
N/A
Summary
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://medium.com/%40elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30
- https://github.com/ehtec/rpcpy-exploit
- https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd
- http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html
References
- https://medium.com/%40elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30
- https://github.com/ehtec/rpcpy-exploit
- https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd
- http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.