{"id":"PYSEC-2019-39","details":"** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because \"the cache directory is not under control of the attacker in any common configuration.\"","modified":"2023-03-14T07:01:09.346613Z","published":"2019-06-06T19:29:00Z","withdrawn":"2023-03-14T07:01:09.346613Z","references":[{"type":"WEB","url":"https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7"},{"type":"WEB","url":"https://github.com/davidhalter/parso/issues/75"}],"affected":[{"package":{"name":"parso","ecosystem":"PyPI","purl":"pkg:pypi/parso"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.0"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.1.0","0.1.1","0.2.0","0.2.1","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/parso/PYSEC-2019-39.yaml"}}],"schema_version":"1.7.3"}