CVE-2021-39207: Deserialization of Untrusted Data in parlai
First published: Fri Sep 10 2021(Updated: )
### Impact Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. ### Patches The issue can be patched by upgrading to v1.1.0 or later. It can also be patched by replacing YAML deserialization with equivalent safe_load calls. ### References - https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725 - https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879 - https://anon-artist.github.io/blogs/blog3.html
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Parlai | <1.1.0 | |
| pip/parlai | <1.1.0 | 1.1.0 |
| <1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- https://nvd.nist.gov/vuln/detail/CVE-2021-39207
- https://github.com/advisories/GHSA-mwgj-7x7j-6966
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- https://github.com/pypa/advisory-database/tree/main/vulns/parlai/PYSEC-2021-330.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/parlai/PYSEC-2021-334.yaml
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- https://github.com/advisories/GHSA-m87f-9fvv-2mgg (Advisory)
Frequently Asked Questions
What is CVE-2021-39207?
CVE-2021-39207 is a vulnerability in the Parlai framework that allows for YAML deserialization attack leading to arbitrary code execution.
What is the severity of CVE-2021-39207?
CVE-2021-39207 has a severity rating of 8.8 (high).
How does CVE-2021-39207 affect the Parlai package?
CVE-2021-39207 affects the Parlai package versions up to exclusive 1.1.0.
How is CVE-2021-39207 patched?
CVE-2021-39207 is patched by avoiding unsafe YAML loading in the Parlai package.
What is the Common Weakness Enumeration (CWE) ID for CVE-2021-39207?
CVE-2021-39207 is associated with the CWE ID 502.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m87f-9fvv-2mgg
- alias/CVE-2021-39207
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/facebook
- canonical/facebook parlai
- package-manager/pip