logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-6h2x-4gjf-jc5w autogluon-multimodal

Package

Manager: pip
Name: autogluon-multimodal
Vulnerable Version: =0.4.3b20220616 || =0.4.3b20220617 || =0.4.3b20220618 || =0.4.3b20220619 || =0.4.3b20220620 || =0.4.3b20220621 || =0.4.3b20220622 || >=0.4.0 <0.4.3 || =0.5.0 || =0.5.1 || =0.5.1b20220624 || =0.5.1b20220625 || =0.5.1b20220626 || =0.5.1b20220627 || =0.5.1b20220628 || =0.5.1b20220629 || =0.5.1b20220630 || =0.5.1b20220701 || =0.5.1b20220702 || =0.5.1b20220703 || =0.5.1b20220704 || =0.5.1b20220705 || =0.5.1b20220706 || =0.5.1b20220707 || =0.5.1b20220708 || =0.5.1b20220709 || =0.5.1b20220710 || =0.5.1b20220711 || =0.5.1b20220712 || =0.5.1b20220713 || =0.5.1b20220714 || =0.5.1b20220715 || =0.5.1b20220716 || =0.5.1b20220717 || =0.5.1b20220718 || =0.5.2b20220719 || =0.5.2b20220720 || =0.5.2b20220721 || =0.5.2b20220722 || =0.5.2b20220723 || =0.5.2b20220724 || =0.5.2b20220725 || =0.5.2b20220726 || =0.5.2b20220727 || =0.5.2b20220728 || >=0.5.0 <0.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

autogluon.multimodal vulnerable to unsafe YAML deserialization ### Impact A potential unsafe deserialization issue exists within the `autogluon.multimodal` module, where YAML files are loaded via `yaml.load()` instead of `yaml.safe_load()`. The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity. Impacted versions: `>=0.4.0;<0.4.3`, `>=0.5.0;<0.5.2`. ### Patches The patches are included in `autogluon.multimodal==0.4.3`, `autogluon.multimodal==0.5.2` and Deep Learning Containers `0.4.3` and `0.5.2`. ### Workarounds Do not load data which originated from an untrusted source, or that could have been tampered with. **Only load data you trust.** ### References * https://cwe.mitre.org/data/definitions/502.html * https://www.cvedetails.com/cve/CVE-2017-18342/

Metadata

Created: 2022-09-21T21:42:05Z
Modified: 2024-12-02T05:42:36.343453Z
Source: https://osv-vulnerabilities
CWE IDs: ["CWE-502"]
Alternative ID: N/A
Finding: F096
Auto approve: 1