Vulnerability Details : CVE-2021-39207
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
Products affected by CVE-2021-39207
- cpe:2.3:a:facebook:parlai:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39207
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39207
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L |
1.8
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2021-39207
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-39207
-
https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
Update model_chat_blueprint.py (#3429) · facebookresearch/ParlAI@4374fa2 · GitHubPatch;Third Party Advisory
-
https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
Deserialization of Untrusted Data in parlai · Advisory · facebookresearch/ParlAI · GitHubPatch;Third Party Advisory
-
https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
RCE Fixed (#3402) · facebookresearch/ParlAI@507d066 · GitHubPatch;Third Party Advisory
Jump to