CVE-2021-39207 HIGH

CVE-2021-39207: Deserialization of Untrusted Data in parlai

Vendor Facebookresearch

Product ParlAI

Weakness CWE-502 · Unsafe deserialization

Published September 10, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.

Key dates

02Disclosure timeline

September 10, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-39207

Related vulnerabilities

CVE-2021-39207: Deserialization of Untrusted Data in parlai

01Description

02Disclosure timeline

03References

04Related CVE