CVE-2021-41127

Published: Oct 21, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.

Vendor	Product	Versions
RasaHQ	rasa	affected `< 2.8.10`

Weaknesses (CWE)

CWE-22

CWE-23

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

References

https://github.com/RasaHQ/rasa/security/advisories/GHSA-4365-fhm5-qcrx

x_refsource_CONFIRM

https://github.com/RasaHQ/rasa/commit/1b6b502f52d73b4f8cd1959ce724b8ad0eb33989

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41127

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References