Homepage

fickling@0.1.3 vulnerabilities

A static analyzer and interpreter for Python pickle data

  • latest version

    0.1.7

  • latest non vulnerable version

    0.1.7

  • first published

    4 years ago

  • latest version published

    5 days ago

  • licenses detected

  • View fickling package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the fickling package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the runpy module. An attacker can execute arbitrary code by supplying a malicious pickle file that uses runpy.run_path or runpy.run_module to run attacker-controlled scripts during deserialization. The resulting file is classified as SUSPICIOUS and may therefore be assumed safe and executed.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.7 or higher.

    [,0.1.7)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unsafe_imports function. An attacker can execute arbitrary code by supplying a malicious pickle that imports dangerous modules not detected by the static analyzer, which then passes the safety checks and is loaded by the victim.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.7 or higher.

    [,0.1.7)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can execute arbitrary code by supplying a malicious pickle payload that uses the pydoc and ctypes modules to bypass detection mechanisms. Once classified as LIKELY_SAFE, the resulting file may be loaded and presumed safe.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.7 or higher.

    [,0.1.7)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cProfile.run process. An attacker can execute arbitrary code by supplying a malicious pickle file that bypasses checks and gets classified as SUSPICIOUS. This may cause it to be treated as safe and executed.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.7 or higher.

    [,0.1.7)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the analysis of pickle files, where import nodes for certain modules such as builtins are not emitted in the abstract syntax tree, resulting in the security analysis being unable to detect dangerous imports. An attacker can execute arbitrary code by including dangerous functions from builtins, such as __import__, which will be executed when the malicious file is loaded under the assumption that it is safe because it is tagged LIKELY_SAFE.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.7 or higher.

    [,0.1.7)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to incomplete detection of dangerous pickle constructs. The safety analysis fails to block certain unsafe module imports, allowing malicious pickle files that invoke functions such as pty.spawn() to bypass heuristic checks. An attacker can craft a pickle that manipulates stack usage to evade the unused-variable heuristic and execute arbitrary code when the pickle is analyzed or processed.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.6 or higher.

    [,0.1.6)
    • H
    Deserialization of Untrusted Data

    fickling is an A static analyzer and interpreter for Python pickle data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to missing detection of unsafe modules in the marshal.loads and types.FunctionType modules. An attacker can execute arbitrary code by crafting a malicious pickle file that leverages these modules to bypass security checks during deserialization.

    How to fix Deserialization of Untrusted Data?

    Upgrade fickling to version 0.1.6 or higher.

    [,0.1.6)
    Go back to all versions of this package