Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1td2dqLTd4N2otNjk2Ns0Vuw
Deserialization of Untrusted Data in ParlAI
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Permalink: https://github.com/advisories/GHSA-mwgj-7x7j-6966JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1td2dqLTd4N2otNjk2Ns0Vuw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
Identifiers: GHSA-mwgj-7x7j-6966, CVE-2021-24040
References:
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- https://nvd.nist.gov/vuln/detail/CVE-2021-24040
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- https://github.com/facebookresearch/ParlAI/pull/3402
- https://github.com/facebookresearch/ParlAI/pull/3429
- https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- https://github.com/advisories/GHSA-mwgj-7x7j-6966
Affected Packages
pypi:parlai
Dependent packages: 2Dependent repositories: 24
Downloads: 2,138 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 0.1.20200409, 0.1.20200416, 0.1.20200610, 0.1.20200713, 0.1.20200716, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 1.0.0
All unaffected versions: 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.7.2