CVE-2021-39207 – parlai

Package

Manager: pip
Name: parlai
Vulnerable Version: >=0 <1.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

EPSS: 0.01351 pctl0.79368

Details

Deserialization of Untrusted Data in parlai ### Impact Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. ### Patches The issue can be patched by upgrading to v1.1.0 or later. It can also be patched by replacing YAML deserialization with equivalent safe_load calls. ### References - https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725 - https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879 - https://anon-artist.github.io/blogs/blog3.html

Metadata

Created: 2021-09-13T20:05:39Z
Modified: 2024-10-09T21:00:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-m87f-9fvv-2mgg/GHSA-m87f-9fvv-2mgg.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-m87f-9fvv-2mgg
Finding: F096
Auto approve: 1