{
  "id": "CVE-2020-24164",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2020-09-11T06:15:11.903",
  "lastModified": "2020-09-15T14:38:40.417",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface."
    },
    {
      "lang": "es",
      "value": "Un fallo de deserializaci\u00f3n est\u00e1 presente en Taoensso Nippy versiones anteriores a 2.14.2. En algunas circunstancias, es posible para un atacante crear una carga \u00fatil maliciosa que, cuando es deserializada, permitir\u00e1 que sea ejecutado un c\u00f3digo arbitrario. Esto ocurre porque se presenta un uso autom\u00e1tico de la interfaz Java serializable"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:taoensso:nippy:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "2.14.2",
              "matchCriteriaId": "7F0B82F0-2B55-4EAF-98CB-208211CE99EB"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/ptaoussanis/nippy/issues/130",
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}