GHSA-6h2x-4gjf-jc5w – autogluon.multimodal

Package

Manager: pip
Name: autogluon.multimodal
Vulnerable Version: >=0.4.0 <0.4.3 || >=0.5.0 <0.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

autogluon.multimodal vulnerable to unsafe YAML deserialization ### Impact A potential unsafe deserialization issue exists within the `autogluon.multimodal` module, where YAML files are loaded via `yaml.load()` instead of `yaml.safe_load()`. The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity. Impacted versions: `>=0.4.0;<0.4.3`, `>=0.5.0;<0.5.2`. ### Patches The patches are included in `autogluon.multimodal==0.4.3`, `autogluon.multimodal==0.5.2` and Deep Learning Containers `0.4.3` and `0.5.2`. ### Workarounds Do not load data which originated from an untrusted source, or that could have been tampered with. **Only load data you trust.** ### References * https://cwe.mitre.org/data/definitions/502.html * https://www.cvedetails.com/cve/CVE-2017-18342/

Metadata

Created: 2022-09-21T21:42:05Z
Modified: 2022-09-21T21:42:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-6h2x-4gjf-jc5w/GHSA-6h2x-4gjf-jc5w.json
CWE IDs: ["CWE-502"]
Alternative ID: N/A
Finding: F096
Auto approve: 1