Tendenci Helpdesk Module Unrestricted Deserialization Vulnerability Allowing Remote Code Execution

A critical deserialization vulnerability has been identified in the Tendenci content management system, specifically within the Helpdesk module, in versions through 15.3.11. This vulnerability allows remote code execution (RCE) by an authenticated user with staff privileges. The issue arises from the use of Python's pickle module for deserialization in an unsafe manner, particularly in the 'run_report()' function, which has not been properly patched. Although the impact is confined to the user running the application, typically www-data, which has limited permissions, the vulnerability poses a significant risk due to the potential for executing arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed within the context of the user running the Tendenci application, which is usually the 'www-data' user.

Reproduction

The vulnerability can be reproduced by saving a query that includes pickled data into a 'SavedSearch' object. When this object is accessed through the Helpdesk module by a user with staff privileges, the 'run_report()' function will unpickle the data using the vulnerable 'pickle.loads()' method, leading to code execution.

Remediation

Users are advised to update Tendenci to version 15.3.12 or later, where this vulnerability has been patched.