CVE Vulnerability

CVE-2019-12760

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 Exploit Third Party Advisory
https://github.com/davidhalter/parso/issues/75
Configurations

Configuration 1

cpe:2.3:a:parso_project:parso:*:*:*:*:*:*:*:*
Information

Published : 2019-06-06 07:29

Updated : 2019-07-05 11:15

NVD link : CVE-2019-12760

Mitre link : CVE-2019-12760

Products Affected
No products.
CWE
CWE-502

Deserialization of Untrusted Data