Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

[Security] potential issue with jsonpickle

0

Right now, aws-xray-sdk-python relies on jsonpickle, which is known to be vulnerable to arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2020-22083
https://github.com/jsonpickle/jsonpickle/issues/332
https://github.com/jsonpickle/jsonpickle/issues/335

Is this a cause for concern when using aws-xray-sdk-python, or does it completely handle this vulnerability?

Thanks

Topics
AWS Well-Architected Framework
Tags
Security
Language
English
asked 5 years ago369 views
1 Answer
0

Hey sefeki,

aws-xray-sdk-python only applies API encode from jsonpickle, see: https://github.com/aws/aws-xray-sdk-python/search?q=jsonpickle, so currently it's safe to use aws-xray-sdk-python. But since this already raised the awareness of security issue, we will be working to replace it with another feasible dependency to serialize data in the near future to mitigate this security warning.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content