ALT-PU-2021-4849-1
Package python-module-parso updated to version 0.5.1-alt2 for branch sisyphus in task 265625.
Closed vulnerabilities
Published: 2019-06-06
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-12760
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References: