Cyber Resilience

CVE-2022-35411

CriticalPublic PoC

Published: 08 July 2022

Published
08 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7133 98.7th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35411 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rpc.Py Project Rpc.Py. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

rpc.py versions through 0.6.0 contain a remote code execution vulnerability that stems from unsafe deserialization. Although the library defaults to JSON serialization for RPC calls, an unauthenticated client can supply an HTTP header of "serializer: pickle" to force the server to process incoming data with Python's pickle module, resulting in arbitrary code execution on the host.

An attacker with network access to an exposed rpc.py instance can therefore send a single crafted request containing a malicious pickled payload. Successful exploitation grants the attacker the ability to execute operating-system commands, read or modify data, and fully compromise the affected process without authentication or user interaction, consistent with the CVSS 9.8 rating.

Public references document both the flaw and its remediation: a patch was merged in commit 491e7a84 that removes support for the pickle serializer. Exploit code and proof-of-concept packets have been published on GitHub and Packet Storm, and the current EPSS score of 0.7133 indicates sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be…

more

processed with unpickle.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rpc.py project
rpc.py
0.4.2 — 0.6.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-522

Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.

addresses: CWE-522

Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.

addresses: CWE-522

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-522

Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.

References