Skip to content

Deserialization of Untrusted Data in ParlAI

Moderate severity GitHub Reviewed Published Sep 13, 2021 to the GitHub Advisory Database • Updated Apr 13, 2023

Package

pip parlai (pip)

Affected versions

< 1.1.0

Patched versions

1.1.0

Description

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

References

Published by the National Vulnerability Database Sep 10, 2021
Reviewed Sep 13, 2021
Published to the GitHub Advisory Database Sep 13, 2021
Last updated Apr 13, 2023

Severity

Moderate

EPSS score

14.494%
(96th percentile)

Weaknesses

CVE ID

CVE-2021-24040

GHSA ID

GHSA-mwgj-7x7j-6966

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.