vulnerability
Arch Linux: Arbitrary code execution (CVE-2020-22083)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Dec 17, 2020 | Jul 11, 2025 | Jan 5, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Dec 17, 2020
Added
Jul 11, 2025
Modified
Jan 5, 2026
Description
** DISPUTED ** jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.
Solution
arch-linux-upgrade-latest
References
- CVE-2020-22083
- https://attackerkb.com/topics/CVE-2020-22083
- URL-https://access.redhat.com/security/cve/CVE-2020-22083
- URL-https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874
- URL-https://github.com/j0lt-github/python-deserialization-attack-payload-generator
- URL-https://github.com/jsonpickle/jsonpickle/issues/332
- URL-https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494
- URL-https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/
- CWE-502
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.