picklescan 0.0.24 vulnerabilities

Known vulnerabilities in the picklescan package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Incomplete List of Disallowed Inputs picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in `scanner.py`, which does not include `timeit` or other modules that can be leveraged for unintended command execution. An attacker can cause `exec()` to be invoked from inside a malicious pickle object by calling `timeit.timeit()`, and then convincing a user to execute the apparently non-dangerous payload after it passes a scan. How to fix Incomplete List of Disallowed Inputs? Upgrade `picklescan` to version 0.0.25 or higher.	[,0.0.25)
M Deserialization of Untrusted Data picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data in `scanner.py`, which does not include `numpy.testing._private.utils` or other modules that can be leveraged for unintended command execution. An attacker can cause `exec()` to be invoked from inside a malicious pickle object by calling `runstring` in it, and then convincing a user to execute the apparently non-dangerous payload after it passes a scan. How to fix Deserialization of Untrusted Data? Upgrade `picklescan` to version 0.0.25 or higher.	[,0.0.25)
H Incomplete List of Disallowed Inputs picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in `scanner.py`, which does not include `ssl` or other modules that can be leveraged for remote operations. An attacker can read and exfiltrate sensitive local file content by constructing a malicious domain name and triggering a DNS resolution. The DNS resolution is performed after deserializaition and may call `ssl.get_server_certificate()`, which bypasses protections. How to fix Incomplete List of Disallowed Inputs? Upgrade `picklescan` to version 0.0.25 or higher.	[,0.0.25)

Vulnerability

Vulnerable Version

Incomplete List of Disallowed Inputs

picklescan is a Security scanner detecting Python Pickle files performing suspicious actions

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in scanner.py, which does not include timeit or other modules that can be leveraged for unintended command execution. An attacker can cause exec() to be invoked from inside a malicious pickle object by calling timeit.timeit(), and then convincing a user to execute the apparently non-dangerous payload after it passes a scan.

How to fix Incomplete List of Disallowed Inputs?

Upgrade picklescan to version 0.0.25 or higher.

[,0.0.25)

Deserialization of Untrusted Data

picklescan is a Security scanner detecting Python Pickle files performing suspicious actions

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in scanner.py, which does not include numpy.testing._private.utils or other modules that can be leveraged for unintended command execution. An attacker can cause exec() to be invoked from inside a malicious pickle object by calling runstring in it, and then convincing a user to execute the apparently non-dangerous payload after it passes a scan.

How to fix Deserialization of Untrusted Data?

Upgrade picklescan to version 0.0.25 or higher.

[,0.0.25)

Incomplete List of Disallowed Inputs

picklescan is a Security scanner detecting Python Pickle files performing suspicious actions

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in scanner.py, which does not include ssl or other modules that can be leveraged for remote operations. An attacker can read and exfiltrate sensitive local file content by constructing a malicious domain name and triggering a DNS resolution. The DNS resolution is performed after deserializaition and may call ssl.get_server_certificate(), which bypasses protections.

How to fix Incomplete List of Disallowed Inputs?

Upgrade picklescan to version 0.0.25 or higher.

[,0.0.25)

picklescan@0.0.24 vulnerabilities

Security scanner detecting Python Pickle files performing suspicious actions

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?