漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
picklescan - Remote Code Execution via Unblocked Standard Library Modules
Vulnerability Description
picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
不完整的黑名单
Vulnerability Title
picklescan 输入验证错误漏洞
Vulnerability Description
picklescan picklescan是picklescan公司的一款Python反序列化漏洞扫描工具。 picklescan 1.0.4之前版本存在输入验证错误漏洞,该漏洞源于未能阻止至少七个Python标准库模块(包括uuid、_osx_support、_aix_support、_pyrepl.pager和imaplib),暴露了八个可直接进行任意命令执行的函数,可能导致攻击者通过构造恶意pickle文件导入这些未阻止的模块实现远程代码执行,完全绕过picklescan的安全验证。
CVSS Information
N/A
Vulnerability Type
N/A