Vulnerability Details CVE-2021-24040
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.318
EPSS Ranking 96.6%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
Products affected by CVE-2021-24040
-
cpe:2.3:a:facebook:parlai:0.1.20200409
-
cpe:2.3:a:facebook:parlai:0.1.20200416
-
cpe:2.3:a:facebook:parlai:0.1.20200716
-
cpe:2.3:a:facebook:parlai:0.10.0
-
cpe:2.3:a:facebook:parlai:0.8.0
-
cpe:2.3:a:facebook:parlai:0.9.0
-
cpe:2.3:a:facebook:parlai:0.9.1
-
cpe:2.3:a:facebook:parlai:0.9.2
-
cpe:2.3:a:facebook:parlai:0.9.3
-
cpe:2.3:a:facebook:parlai:0.9.4
-
cpe:2.3:a:facebook:parlai:1.0.0