CVE-2022-31605

Name of the Vulnerable Software and Affected Versions NVFLARE versions prior to 2.1.2

Description The issue concerns the deserialization of untrusted data in the utils module of NVFLARE, where YAML files are loaded via yaml.load() instead of yaml.safe load(). This may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and impact both Confidentiality and Integrity.

Recommendations For versions prior to 2.1.2, update to version 2.1.2 to resolve the issue. As a temporary workaround, consider changing yaml.load() to yaml.safe load() in the affected module.