Miggo Logo

CVE-2019-17206: Uncontrolled deserialization of a pickled object in rediswrapper allows attackers to execute arbitrary scripts

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.828%
Published
11/20/2019
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rediswrapperpip< 0.3.00.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure serialization/deserialization logic in models.py. The original from_value function skipped pickling for strings, allowing attackers to store malicious pickled payloads as raw bytes. The to_value function then deserialized these payloads via pickle.loads() without validation. The patch removed the string bypass in from_value (forcing all values to be pickled) and eliminated unsafe fallback logic in to_value, confirming these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un*ontroll** **s*ri*liz*tion o* * pi*kl** o*j**t in mo**ls.py in *rost Min* r**iswr*pp*r (*k* R**is Wr*pp*r) ***or* *.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry s*ripts.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* s*ri*liz*tion/**s*ri*liz*tion lo*i* in mo**ls.py. T** ori*in*l *rom_v*lu* *un*tion skipp** pi*klin* *or strin*s, *llowin* *tt**k*rs to stor* m*li*ious pi*kl** p*ylo**s *s r*w *yt*s. T** to_v*lu* *un*tion t**n **s