SYM_PY_0093 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using the Python 'shelve' module is risky because it relies on 'pickle' for data serialization, which can execute malicious code if the input is tampered with. Avoid using 'shelve' for storing data from untrusted sources.
Impact
If an attacker supplies or alters the serialized data, they could execute arbitrary code on your server, potentially leading to data breaches, system compromise, or complete takeover of the application environment.