9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35411

GHSA ID

GHSA-8rq8-f485-7v8x

EPSS Score

0.98559%

CWE

CWE-502

Published

7/9/2022

Updated

4/22/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-35411

CVE-2022-35411: rpc.py vulnerable to Deserialization of Untrusted Data

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Per the maintainer, rpc.py is not designed for an API that is open to the outside world, and external requests cannot reach rpc.py in real world use.

A fix exists on the master branch. As a workaround, use the following code to turn off pickle in older versions:

del SERIALIZER_NAMES[PickleSerializer.name]
del SERIALIZER_TYPES[PickleSerializer.content_type]

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-35411

CVE-2022-35411:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35411

GHSA ID

GHSA-8rq8-f485-7v8x

EPSS Score

0.98559%

CWE

CWE-502

Published

7/9/2022

Updated

4/22/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rpc.py	pip	>= 0.4.2, <= 0.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two connected factors: 1) The PickleSerializer.decode method directly uses unsafe pickle.loads() deserialization. 2) The serializer registry allows clients to activate this dangerous serializer via HTTP headers. The commit fix removes PickleSerializer from these registries, and exploit analysis shows RCE occurs when malicious payloads reach the decode method. Both the deserialization implementation and the serializer selection mechanism are required for the vulnerability to exist.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-35411: rpc.py vulnerable to Deserialization of Untrusted Data

CVE-2022-35411:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2022-35411: rpc.py vulnerable to Deserialization of Untrusted Data

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI