parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
Published 2021-09-10 23:15:07
Updated 2021-09-23 15:47:49
Source GitHub, Inc.
View at NVD,   CVE.org

Products affected by CVE-2021-39207

Exploit prediction scoring system (EPSS) score for CVE-2021-39207

0.16%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-39207

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
NIST
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST
8.4
HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
1.8
6.0
GitHub, Inc.

CWE ids for CVE-2021-39207

  • The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
    Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-39207

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!