# CVE-2022-37298: RCE in Shinken Monitoring
**Versions affected:** 2.4.3
**Disclosure link:** https://github.com/naparuba/shinken/commit/2dae40fd1e713aec9e1966a0ab7a580b9180cff2
**CVE link:** https://vulners.com/cve/CVE-2022-37298
The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme (actually no authentication at all) when unserializing objects passed from legitimate monitoring nodes to the Shinken server. A remote attacker can craft and send a pickle object instantiating an internal, implicitly trusted Shinken object; some of which can be leveraged to execute arbitrary code on the monitoring server itself.