| عنوان | iop-apl-uw basestation3 3.0.4 Deserialization |
|---|
| الوصف | In the basestation3 github repository, the function load_qc_pickl() in QC.py uses Python’s pickle.load() to deserialize data from a file without validating or sanitizing the input. If an attacker supplies a malicious pickle file, they can execute arbitrary code when the file is loaded, resulting in a Remote Code Execution (RCE) vulnerability.
This occurs because pickle.load() is inherently unsafe for loading untrusted data, as it can deserialize and invoke arbitrary Python objects, including system calls. |
|---|
| المصدر | ⚠️ https://github.com/iop-apl-uw/basestation3/issues/6 |
|---|
| المستخدم | esharmaji (UID 84358) |
|---|
| ارسال | 15/05/2025 02:28 PM (12 أشهر منذ) |
|---|
| الاعتدال | 17/05/2025 03:13 PM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 309461 [iop-apl-uw basestation3 حتى 3.0.4 basestation3/QC.py load_qc_pickl qc_file تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|