Deserialization of Untrusted Data in web2py - CVE-2016-3957
Published: June 27, 2019 / Updated: June 28, 2019
Vulnerability identifier: #VU18926
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2016-3957
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: web2py
Affected software:
web2py
web2py
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the "secure_load" function in "gluon/utils.py" uses pickle.loads to deserialize session information stored in cookies. A remote attacker with knowledge of the encryption key (see vulnerability #1) can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2016-3957
Install updates from vendor's website.