PyPi: Parso

CVE-2019-12760

Safety vulnerability ID: 69622

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 06, 2019 Updated at Dec 10, 2024

Scan your Python projects for vulnerabilities →

Advisory

A deserialization vulnerability exists in the way parso handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. Version 0.5.1 adds a note about the use of pickle.
NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."

Affected package

parso

Latest version: 0.8.4

A Python Parser

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.0

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): SINGLE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL