Change by Junyu Zhang :
--
components: Library (Lib)
files: Python-multiprocessing-RCE-vulnerability.pdf
nosy: Junyu Zhang
priority: normal
severity: normal
status: open
title: [CVE-2020-10796] Python multiprocessing Remote Code Execution
vulnerability
type: security
versions: Python
New submission from Junyu Zhang :
description:
When we were using python to develop a distributed process service, I noticed
that the default serialization parameter of Manager and ManagerBase in
multiprocessing was pickl, and it didn't seem to be mentioned in the official
webs
Junyu Zhang added the comment:
Thank you for your reply, this report is indeed the situation prompted by the
warning. There will be few problems in the single-machine deployment mode. Of
course, it is also possible to take advantage of the possibility of elevation
of privilege. In the
Junyu Zhang added the comment:
Thank you for your reply. Yes, under normal circumstances, keys are generally
not leaked. I may have only considered the following attacks at the time:
1. If the client script of the distributed process is on another machine, or
the key is leaked due to
