Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tODdmLTlmdnYtMm1nZ80VuA
Deserialization of Untrusted Data in parlai
Impact
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks.
Patches
The issue can be patched by upgrading to v1.1.0 or later. It can also be patched by replacing YAML deserialization with equivalent safe_load calls.
References
- https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
- https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- https://anon-artist.github.io/blogs/blog3.html
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tODdmLTlmdnYtMm1nZ80VuA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Identifiers: GHSA-m87f-9fvv-2mgg, CVE-2021-39207
References:
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- https://nvd.nist.gov/vuln/detail/CVE-2021-39207
- https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
- https://github.com/advisories/GHSA-m87f-9fvv-2mgg
Blast Radius: 11.6
Affected Packages
pypi:parlai
Dependent packages: 2Dependent repositories: 24
Downloads: 2,080 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 0.1.20200409, 0.1.20200416, 0.1.20200610, 0.1.20200713, 0.1.20200716, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 1.0.0
All unaffected versions: 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.7.2