CVE-2022-35411
Published: 08 July 2022
Summary
CVE-2022-35411 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rpc.Py Project Rpc.Py. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
rpc.py versions through 0.6.0 contain a remote code execution vulnerability that stems from unsafe deserialization. Although the library defaults to JSON serialization for RPC calls, an unauthenticated client can supply an HTTP header of "serializer: pickle" to force the server to process incoming data with Python's pickle module, resulting in arbitrary code execution on the host.
An attacker with network access to an exposed rpc.py instance can therefore send a single crafted request containing a malicious pickled payload. Successful exploitation grants the attacker the ability to execute operating-system commands, read or modify data, and fully compromise the affected process without authentication or user interaction, consistent with the CVSS 9.8 rating.
Public references document both the flaw and its remediation: a patch was merged in commit 491e7a84 that removes support for the pickle serializer. Exploit code and proof-of-concept packets have been published on GitHub and Packet Storm, and the current EPSS score of 0.7133 indicates sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6297
Vulnerability details
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be…
more
processed with unpickle.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.