jsonpickle==1.3 has a security advisory
See original GitHub issueDescribe the bug
jsonpickle==1.3
is defined as a dependency and has an associated security advisory.
To Reproduce
Running:
python3 -m venv .venv
source .venv/bin/activate
pip install -q c7n==0.9.11 safety
safety check --json
Produces:
[
[
"jsonpickle",
"<=1.4.1",
"1.3",
"Jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. See CVE-2020-22083.",
"39319",
null,
null
]
]
Expected behavior
safety check
should not report a CVE for dependencies that have fixes/resolution available.- Ideally, remove the dependency since it does not look like it is being used by
c7n
.c7n_azure
seems to be the only package using it. - Alternatively, update
jsonpickle==1.3
tojsonpickle>=1.3,<2
Background (please complete the following information):
- OS: macOS 10.15.7
- Python Version: python 3.9.1
- Custodian Version: 0.9.11
- Tool Version: N/A
- Cloud Provider: aws
- Policy: N/A
- Traceback: N/A
custodian version --debug
output: N/A
Additional context
Issue Analytics
- State:
- Created 2 years ago
- Comments:5
Top Results From Across the Web
jsonpickle vulnerabilities - Snyk
version published direct vulnerabilities
3.0.0 1 Dec, 2022 0. C. 0. H. 0. M. 0. L
2.2.0 11 May, 2022 0. C. 0. H. 0....
Read more >Security Bulletin 23 Dec 2020
CVE Number Base Score Reference
CVE‑2020‑29569 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2020‑29569
CVE‑2020‑29481 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2020‑29481
CVE‑2020‑29479 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2020‑29479
Read more >Python library for serializing any arbitrary object graph into ...
Python library for serializing any arbitrary object graph into JSON. jsonpickle is a library for the two-way conversion of complex Python objects and...
Read more >Package List — Spack 0.17.1 documentation
Spack currently has 5969 mainline packages: ... fairlogger, py-azure-mgmt-security, r-makecdfenv ... intel-oneapi-advisor, py-ipywidgets, r-yaqcaffy.
Read more >Remote Files ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
afaics this isn’t used anymore, i’ll be removing it an extant packaging related pr https://github.com/cloud-custodian/cloud-custodian/pull/6615
@logachev can we yank our usage of jsonpickle?