Miggo Logo

CVE-2019-12760: Deserialization vulnerability exists in parso

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.70295%
Published
6/13/2019
Updated
10/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
parsopip<= 0.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from parso's cache mechanism using pickle to load grammar files. The Grammar.parse() method enables cache loading, while _load_from_cache_specific in cache.py directly deserializes untrusted data via pickle.load(). The PoC demonstrates exploitation by writing malicious pickles to the cache path and triggering parsing. These functions are explicitly involved in the insecure deserialization chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

** *ISPUT** ** * **s*ri*liz*tion vuln*r**ility *xists in t** w*y p*rso t*rou** *.*.* **n*l*s *r*mm*r p*rsin* *rom t** *****. ***** lo**in* r*li*s on pi*kl* *n*, provi*** t**t *n *vil pi*kl* **n ** writt*n to * ***** *r*mm*r *il* *n* t**t its p*rsin*

Reasoning

T** vuln*r**ility st*ms *rom p*rso's ***** m****nism usin* pi*kl* to lo** *r*mm*r *il*s. T** *r*mm*r.p*rs*() m*t*o* *n**l*s ***** lo**in*, w*il* _lo**_*rom_*****_sp**i*i* in *****.py *ir**tly **s*ri*liz*s untrust** **t* vi* pi*kl*.lo**(). T** Po* **m