CVE-2022-37298: 
Python vulnerability analysis and mitigation

Shinken Monitoring version 2.4.3 was found to be vulnerable to Remote Code Execution (RCE) through incorrect access control in the SafeUnpickler class. The vulnerability was discovered in October 2022 and affected the safepickle.py component (GitHub Commit).

The vulnerability exists in the SafeUnpickler class found in shinken/safepickle.py, which implements a weak authentication scheme when unserializing objects passed from legitimate monitoring nodes to the Shinken server. The security flaw allows remote attackers to craft and send a pickle object that instantiates an internal, implicitly trusted Shinken object, which can be leveraged to execute arbitrary code on the monitoring server (GitHub POC).

An attacker who can communicate with the daemon's internal port can execute arbitrary code on the monitoring server by exploiting the unsafe deserialization vulnerability. This could lead to complete system compromise (NVD).

The vulnerability was fixed in Shinken version 2.4.4 by implementing a whitelist of allowed classes for deserialization. The fix explicitly defines which classes are permitted to be unpickled, preventing the execution of arbitrary code (GitHub Commit).

The vulnerability was discovered by the Dailymotion security team (Nicolas Perraud), who found a way to bypass pickle.loads protection and execute code from the daemon. The discovery was acknowledged in the project's THANKS file (GitHub Commit).