** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."
CVE-2019-12760 - High Severity Vulnerability
parso-0.4.0-py2.py3-none-any.whl
A Python Parser
Library home page: https://files.pythonhosted.org/packages/a7/bd/e2f4753c5fa93932899243b4299011a757ac212e9bc8ddf062f38df4e78b/parso-0.4.0-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **parso-0.4.0-py2.py3-none-any.whl** (Vulnerable Library)
parso-0.3.4-py2.py3-none-any.whl
A Python Parser
Library home page: https://files.pythonhosted.org/packages/19/b1/522b2671cc6d134c9d3f5dfc0d02fee07cab848e908d03d2bffea78cca8f/parso-0.3.4-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **parso-0.3.4-py2.py3-none-any.whl** (Vulnerable Library)
** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."
Publish Date: 2019-06-06
URL: CVE-2019-12760
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with WhiteSource here