CERTCC / VINCE

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.

Home Page:https://kb.cert.org/vince/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remote Code Injection vulnerability using Python pickle object

sei-vsarvepalli opened this issue · comments

An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed. Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC.

The relevant code update

VINCE/vinny/models.py

Lines 238 to 242 in 213dcd9

class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
""" If find_class gets called then return error """
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))

Resolved with #62