CVE-2019-12760
Arbitrary Code Execution vulnerability in parso (PyPI)
What is CVE-2019-12760 About?
This vulnerability in `parso` through 0.4.0 is a deserialization flaw that could lead to Arbitrary Code Execution when handling grammar parsing from the cache. If an attacker can write a malicious 'pickle' to a cache grammar file and trigger its parsing, code execution becomes possible. Exploitation is complex and requires specific conditions for the attacker to control the cache.
Affected Software
- parso
- <0.5.0
- <=0.4.0
Technical Details
The parso library, specifically versions through 0.4.0, exhibits a deserialization vulnerability related to its grammar caching mechanism. Parso uses Python's pickle module to store parsed grammar structures in its cache. If an attacker can inject a specially crafted, malicious pickle object into a parso cache grammar file and subsequently trigger the loading and deserialization of this tampered cache file, they can achieve Arbitrary Code Execution. This is because pickle.loads() can execute arbitrary code when deserializing malicious data. The key attack vector is the ability to write to and control the content of the parso cache directory. The vulnerability's disputation stems from the requirement that the cache directory is typically not under an attacker's control in common configurations, implying a multi-stage attack or a pre-compromised system.
What is the Impact of CVE-2019-12760?
Successful exploitation may allow attackers to execute arbitrary code on the system, leading to full system compromise, data manipulation, or denial-of-service.
What is the Exploitability of CVE-2019-12760?
Exploitation of this vulnerability is complex. It requires an attacker to have write access to the parso cache directory and the ability to trigger the application to load the tampered cache file. Prerequisites include either local file system access or a separate vulnerability allowing arbitrary file writes. No explicit authentication for the parso library itself is generally required, but system-level authentication might be. Privilege requirements for writing to the cache directory could range from low if permissions are misconfigured, to high for typical installations. Access would likely be local, as direct manipulation of file system caches is typically a local operation, although it could be remote if combined with other vulnerabilities allowing remote file manipulation. The special condition is the ability to write a malicious pickle to the cache directory and ensure it is subsequently loaded and deserialized. The likelihood of exploitation is low due to these stringent prerequisites, as the cache directory is usually not attacker-controlled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-12760?
Available Upgrade Options
- parso
- <0.5.0 → Upgrade to 0.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2019-12760
- https://github.com/davidhalter/parso/issues/75
- https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
- https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
- https://github.com/davidhalter/parso
- https://github.com/davidhalter/parso/issues/75
- https://osv.dev/vulnerability/GHSA-22mf-97vh-x8rw
- https://github.com/davidhalter/parso/issues/75
- https://github.com/pypa/advisory-database/tree/main/vulns/parso/PYSEC-2019-109.yaml
- https://github.com/advisories/GHSA-22mf-97vh-x8rw
What are Similar Vulnerabilities to CVE-2019-12760?
Similar Vulnerabilities: CVE-2017-1000350 , CVE-2017-1000351 , CVE-2017-1000352 , CVE-2017-1000353 , CVE-2017-1000354
