GHSA-339M-4QW5-J2G3

Vulnerability from github – Published: 2026-01-21 16:38 – Updated: 2026-01-22 15:43
VLAI?
Summary
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
Details

A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python's pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs.

Key Finding: The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads().

Permission Scoping: The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions.

Vulnerability Details

Affected Version

  • Version: Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch)
  • Component: tendenci/apps/helpdesk/views/staff.py

Related CVE

  • CVE-2020-14942: Original pickle deserialization vulnerability (partially patched)
  • GitHub Advisory: GHSA-jqmc-fxxp-r589
  • Original Issue: https://github.com/tendenci/tendenci/issues/867

Tendenci User Role Hierarchy

Level Role Description
0 is_superuser Highest privilege - full Django admin
1 is_staff user with Staff security level - can access helpdesk module
2 Authenticated User Basic user access
3 Anonymous User Public read-only access

is_staff is a commonly assigned role (by a superuser) for helpdesk operators who manage support tickets - not system administrators.

Code Comparison (Patched vs Vulnerable)

Function Line Deserialization Status
ticket_list() 763 simplejson.loads() ✅ SAFE
run_report() 1062 pickle.loads() ❌ VULNERABLE

Why This Qualifies for CVE Assignment

This vulnerability represents an incomplete patch bypass for CVE-2020-14942 with a clear exploitation path. The flaw allows a malicious user with Staff security level to achieve Remote Code Execution via Python's pickle.loads. Though the damage is contained to the user that your Tendenci application runs.

Remediation

Update Tendenci to the latest version (v15.3.12 as of now) immediately if you have Helpdesk enabled. Note that Helpdesk is not enabled by default. All of our hosted sites have been patched, although none of our client sites have the Helpdesk enabled.

References

  • Tendenci GitHub: https://github.com/tendenci/tendenci
  • CVE-2020-14942: https://nvd.nist.gov/vuln/detail/CVE-2020-14942
  • GitHub Advisory: https://github.com/advisories/GHSA-jqmc-fxxp-r589
  • Original Issue: https://github.com/tendenci/tendenci/issues/867
  • CWE-502: https://cwe.mitre.org/data/definitions/502.html
  • Python Pickle Security: https://docs.python.org/3/library/pickle.html#restricting-globals
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tendenci"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "15.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T16:38:15Z",
    "nvd_published_at": "2026-01-22T01:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python\u0027s pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs.\n\n**Key Finding:** The original CVE-2020-14942 was incompletely patched. While `ticket_list()` was fixed to use safe JSON deserialization, the `run_report()` function still uses unsafe `pickle.loads()`.\n\n**Permission Scoping:** The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions.\n\n## Vulnerability Details\n\n### Affected Version\n- **Version:** Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch)\n- **Component:** `tendenci/apps/helpdesk/views/staff.py`\n\n### Related CVE\n- **CVE-2020-14942:** Original pickle deserialization vulnerability (partially patched)\n- **GitHub Advisory:** GHSA-jqmc-fxxp-r589\n- **Original Issue:** https://github.com/tendenci/tendenci/issues/867\n\n### Tendenci User Role Hierarchy\n\n| Level | Role | Description |\n|-------|------|-------------|\n| 0 | `is_superuser` | Highest privilege - full Django admin |\n| 1 | `is_staff` | user with Staff security level - can access helpdesk module |\n| 2 | Authenticated User | Basic user access |\n| 3 | Anonymous User | Public read-only access |\n\n`is_staff` is a commonly assigned role (by a superuser) for helpdesk operators who manage support tickets - not system administrators. \n\n\n### Code Comparison (Patched vs Vulnerable)\n\n| Function | Line | Deserialization | Status |\n|----------|------|-----------------|--------|\n| `ticket_list()` | 763 | `simplejson.loads()` | \u2705 SAFE |\n| `run_report()` | 1062 | `pickle.loads()` | \u274c VULNERABLE |\n\n## Why This Qualifies for CVE Assignment\n\nThis vulnerability represents an **incomplete patch bypass** for CVE-2020-14942 with a clear exploitation path. The flaw allows a malicious user with Staff security level to achieve Remote Code Execution via Python\u0027s pickle.loads. Though the damage is contained to the user that your Tendenci application runs. \n\n## Remediation\n\nUpdate Tendenci to the latest version (v15.3.12 as of now) immediately if you have Helpdesk enabled. Note that Helpdesk is not enabled by default. All of our hosted sites have been patched, although **none** of our client sites have the Helpdesk enabled.\n\n\n## References\n\n- Tendenci GitHub: https://github.com/tendenci/tendenci\n- CVE-2020-14942: https://nvd.nist.gov/vuln/detail/CVE-2020-14942\n- GitHub Advisory: https://github.com/advisories/GHSA-jqmc-fxxp-r589\n- Original Issue: https://github.com/tendenci/tendenci/issues/867\n- CWE-502: https://cwe.mitre.org/data/definitions/502.html\n- Python Pickle Security: https://docs.python.org/3/library/pickle.html#restricting-globals",
  "id": "GHSA-339m-4qw5-j2g3",
  "modified": "2026-01-22T15:43:00Z",
  "published": "2026-01-21T16:38:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14942"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/issues/867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/pickle.html#restricting-globals"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jqmc-fxxp-r589"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tendenci/tendenci"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/releases/tag/v15.3.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.