7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23930

GHSA ID

GHSA-5m22-cfq9-86x6

EPSS Score

0.71742%

CWE

CWE-502

Published

10/13/2023

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-23930

CVE-2023-23930: Pickle serialization vulnerable to Deserialization of Untrusted Data

What

We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9).

In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue.

Solution: we should use JSON instead

Impact

All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers.

Patches

Not yet

Workarounds

Specify JSON serialization

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23930

GHSA ID

GHSA-5m22-cfq9-86x6

EPSS Score

0.71742%

CWE

CWE-502

Published

10/13/2023

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vantage6	pip	< 4.0.2	4.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using Python's pickle module for serialization/deserialization. The commit diff shows removal of pickle-related functions (deserialize_pickle, serialize_pickle) and replacement with JSON. Key evidence includes: 1) Explicit removal of pickle tests in test_client.py 2) Replacement of pickle.dumps/loads with JSON in critical paths 3) Removal of DataFormat.PICKLE enum 4) Docker wrapper tests showing pickle removal. These functions directly handled untrusted data with insecure pickle operations, making them clear injection points for malicious payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### W**t W* *r* usin* pi*kl* *s ****ult s*ri*liz*tion mo*ul* *ut t**t **s known s**urity issu*s (s** *.*. *ttps://m**ium.*om/o**ron*/pyt*on-pi*kl*-is-notoriously-ins**ur*-************). In summ*ry, it is not **vis**l* to op*n Pi*kl*s t**t you *r**t

Reasoning

T** vuln*r**ility st*ms *rom usin* Pyt*on's pi*kl* mo*ul* *or s*ri*liz*tion/**s*ri*liz*tion. T** *ommit *i** s*ows r*mov*l o* pi*kl*-r*l*t** *un*tions (**s*ri*liz*_pi*kl*, s*ri*liz*_pi*kl*) *n* r*pl***m*nt wit* JSON. K*y *vi**n** in*lu**s: *) *xpli*i

7.2

Basic Information

Concerned about an active attack path?

CVE-2023-23930: Pickle serialization vulnerable to Deserialization of Untrusted Data

What

Impact

Patches

Workarounds

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI