CVE-2023-23930 – vantage6

Package

Manager: pip
Name: vantage6
Vulnerable Version: >=0 <4.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00729 pctl0.71803

Details

Pickle serialization vulnerable to Deserialization of Untrusted Data ### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9). In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue. Solution: we should use JSON instead ### Impact All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers. ### Patches Not yet ### Workarounds Specify JSON serialization

Metadata

Created: 2023-10-13T19:25:39Z
Modified: 2024-11-18T23:11:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-5m22-cfq9-86x6/GHSA-5m22-cfq9-86x6.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-5m22-cfq9-86x6
Finding: F096
Auto approve: 1