CVE-2019-17206: Uncontrolled deserialization of a pickled object in rediswrapper allows attackers to execute arbitrary scripts
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.828%
CWE
Published
11/20/2019
Updated
10/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rediswrapper | pip | < 0.3.0 | 0.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure serialization/deserialization logic in models.py. The original from_value function skipped pickling for strings, allowing attackers to store malicious pickled payloads as raw bytes. The to_value function then deserialized these payloads via pickle.loads() without validation. The patch removed the string bypass in from_value (forcing all values to be pickled) and eliminated unsafe fallback logic in to_value, confirming these functions as the root cause.