PYSEC-2021-330

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/parlai/PYSEC-2021-330.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2021-330

Aliases

CVE-2021-24040
CVE-2021-39207
GHSA-m87f-9fvv-2mgg
GHSA-mwgj-7x7j-6966
PYSEC-2021-334

Published

2021-09-10T22:15:00Z

Modified

2023-11-01T04:54:44.487261Z

Summary

[none]

Details

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

References

https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
https://github.com/advisories/GHSA-mwgj-7x7j-6966

Affected packages

PyPI / parlai

Package

Name: parlai; View open source insights on deps.dev
Purl: pkg:pypi/parlai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0

Affected versions

0.*

0.1.20200409

0.1.20200416

0.1.20200610

0.1.20200713

0.1.20200716

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.10.0

1.*

1.0.0