PT-2021-22459 · Parlai · Parlai

Published

2021-09-10

Updated

2021-09-23

CVE-2021-39207

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ParlAI versions prior to v1.1.0

Description The issue is caused by unsafe YAML deserialization logic, which allows an attacker with the ability to modify local YAML configuration files to provide malicious input, resulting in remote code execution or similar risks. This is due to the package being vulnerable to a YAML deserialization attack caused by unsafe loading, leading to arbitrary code execution.

Recommendations For versions prior to v1.1.0, update to version v1.1.0 or later to patch the issue. As a temporary workaround for versions where upgrading is not possible, change the Loader used to SafeLoader to avoid unsafe loading. Replace YAML deserialization with equivalent safe load calls to patch the issue.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2021-39207

GHSA-M87F-9FVV-2MGG

GHSA-MWGJ-7X7J-6966

PYSEC-2021-330

PYSEC-2021-334

Affected Products

Parlai

PT-2021-22459 · Parlai · Parlai

CVE-2021-39207

Weakness Enumeration

Related Identifiers

Affected Products

References · 19