CVE-2021-39207

Published: Sep 10, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.

Vendor	Product	Versions
facebookresearch	ParlAI	affected `< 1.1.0`

Weaknesses (CWE)

CWE-502

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg

x_refsource_CONFIRM

https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879

x_refsource_MISC

https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-39207

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References