{"url":"http://public2.vulnerablecode.io/api/packages/74402?format=json","purl":"pkg:pypi/picklescan@1.0.4","type":"pypi","namespace":"","name":"picklescan","version":"1.0.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50596?format=json","vulnerability_id":"VCID-dz86-5sqp-m3gj","summary":"PickleScan has multiple stdlib modules with direct RCE not in blocklist\npicklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.","references":[{"reference_url":"https://github.com/mmaitre314/picklescan","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan"},{"reference_url":"https://github.com/advisories/GHSA-g38g-8gr9-h9xp","reference_id":"GHSA-g38g-8gr9-h9xp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g38g-8gr9-h9xp"},{"reference_url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp","reference_id":"GHSA-g38g-8gr9-h9xp","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74402?format=json","purl":"pkg:pypi/picklescan@1.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4"}],"aliases":["GHSA-g38g-8gr9-h9xp"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dz86-5sqp-m3gj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50643?format=json","vulnerability_id":"VCID-ffv8-d2fk-tubb","summary":"PickleScan's pkgutil.resolve_name has a universal blocklist bypass\n`pkgutil.resolve_name()` is a Python stdlib function that resolves any `\"module:attribute\"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., `os.system`, `builtins.exec`, `subprocess.call`) without that function appearing in the pickle's opcodes. picklescan only sees `pkgutil.resolve_name` (which is not blocked) and misses the actual dangerous function entirely.\n\nThis defeats picklescan's **entire blocklist concept** — every single entry in `_unsafe_globals` can be bypassed.","references":[{"reference_url":"https://github.com/mmaitre314/picklescan","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan"},{"reference_url":"https://github.com/advisories/GHSA-vvpj-8cmc-gx39","reference_id":"GHSA-vvpj-8cmc-gx39","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vvpj-8cmc-gx39"},{"reference_url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39","reference_id":"GHSA-vvpj-8cmc-gx39","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74402?format=json","purl":"pkg:pypi/picklescan@1.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4"}],"aliases":["GHSA-vvpj-8cmc-gx39"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ffv8-d2fk-tubb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50546?format=json","vulnerability_id":"VCID-sapx-fzv8-pbcw","summary":"PickleScan's profile.run blocklist mismatch allows exec() bypass\npicklescan v1.0.3 blocks `profile.Profile.run` and `profile.Profile.runctx` but does NOT block the module-level `profile.run()` function. A malicious pickle calling `profile.run(statement)` achieves arbitrary code execution via `exec()` while picklescan reports 0 issues. This is because the blocklist entry `\"Profile.run\"` does not match the pickle global name `\"run\"`.","references":[{"reference_url":"https://github.com/mmaitre314/picklescan","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan"},{"reference_url":"https://github.com/advisories/GHSA-7wx9-6375-f5wh","reference_id":"GHSA-7wx9-6375-f5wh","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wx9-6375-f5wh"},{"reference_url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh","reference_id":"GHSA-7wx9-6375-f5wh","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74402?format=json","purl":"pkg:pypi/picklescan@1.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4"}],"aliases":["GHSA-7wx9-6375-f5wh"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sapx-fzv8-pbcw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4"}