← Retour aux CVEs

CVE-2022-35411

CRITICAL

9.8

Description

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie7/8/2022

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

rpc.py_project:rpc.py

Faiblesses (CWE)

CWE-522

References

http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html(cve@mitre.org)

https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd(cve@mitre.org)

https://github.com/ehtec/rpcpy-exploit(cve@mitre.org)

https://medium.com/%40elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30(cve@mitre.org)

http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/ehtec/rpcpy-exploit(af854a3a-2127-422b-91ae-364da2661108)

https://medium.com/%40elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.