GHSA-m273-6v24-x4m4: Picklescan vulnerable to Arbitrary File Writing
Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.
References
- github.com/advisories/GHSA-m273-6v24-x4m4
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- github.com/mmaitre314/picklescan/pull/53
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33
- github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4
Code Behaviors & Features
Detect and mitigate GHSA-m273-6v24-x4m4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →