CVE-2021-39207

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879	Patch Third Party Advisory
https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725	Patch Third Party Advisory
https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:facebook:parlai:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-10 23:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-39207

Mitre link : CVE-2021-39207

CVE.ORG link : CVE-2021-39207

JSON object : View

Products Affected

facebook

parlai

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2021-39207", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2021-09-10T23:15:07.343", "references": [{"url": "https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details."}, {"lang": "es", "value": "parlai es un marco de trabajo para entrenar y evaluar modelos de IA en una variedad de conjuntos de datos de di\u00e1logo disponibles abiertamente. En las versiones afectadas el paquete es vulnerable a un ataque de deserializaci\u00f3n de YAML causado por una carga no segura que conlleva a una ejecuci\u00f3n de c\u00f3digo arbitrario. Este bug de seguridad es parcheado al evitar una carga no segura, los usuarios deben actualizar a una versi\u00f3n superior a v1.1.0. Si la actualizaci\u00f3n no es posible, entonces los usuarios pueden cambiar el Cargador usado a SafeLoader como soluci\u00f3n. Consulte el commit 507d066ef432ea27d3e201da08009872a2f37725 para m\u00e1s detalles"}], "lastModified": "2021-09-23T15:47:49.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:parlai:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "024C0A42-7DCA-4692-8BFD-E6BEFF796D84", "versionEndExcluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}