CVE-2021-39207

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-39207

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39207.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-39207

Aliases

Published

2021-09-10T23:15:07Z

Modified

2024-10-12T08:20:15.029813Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.

References

Affected packages

Git / github.com/facebookresearch/parlai

Affected ranges

Type: GIT
Repo: https://github.com/facebookresearch/parlai
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4374fa2aba383db6526ab36e939eb1cf8ef99879

Fixed

507d066ef432ea27d3e201da08009872a2f37725

Affected versions

Other

acute_eval

convai2archive

final_mturk

mastering_the_dungeon

memnn_feedback

mturk_archive

personachat

qa_data_collection

qualification_flow_example

react_task_demo

talkthewalk

turn_annotations

v0.*

v0.1.20200409

v0.1.20200416

v0.1.20200716

v0.10.0

v0.8.0

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v1.*

v1.0.0