CVE-2021-24040 – parlai

Package

Manager: pip
Name: parlai
Vulnerable Version: >=0 <1.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.31816 pctl0.96667

Details

Deserialization of Untrusted Data in ParlAI Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

Metadata

Created: 2021-09-13T20:06:14Z
Modified: 2021-09-13T19:29:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-mwgj-7x7j-6966/GHSA-mwgj-7x7j-6966.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-mwgj-7x7j-6966
Finding: F096
Auto approve: 1