CVE-2021-43811: Code injection via unsafe YAML loading
First published: Wed Dec 08 2021(Updated: )
### Impact Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. ### Patches The issue is fixed in version 2.3.24 and above by #964. ### For more information If you have any questions or comments about this advisory: * Open an issue in [awslabs/sockeye](https://github.com/awslabs/sockeye) * Email us at [sockeye-dev](mailto:sockeye-dev@amazon.com) ### Attribution This vulnerability was reported by Masatoshi Yoshizawa of yamory Security Team.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Amazon Sockeye | <2.3.24 | |
| pip/sockeye | <2.3.24 | 2.3.24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/awslabs/sockeye/pull/964
- https://github.com/awslabs/sockeye/releases/tag/2.3.24
- https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pm
- https://nvd.nist.gov/vuln/detail/CVE-2021-43811
- https://github.com/pypa/advisory-database/tree/main/vulns/sockeye/PYSEC-2021-848.yaml
- https://github.com/advisories/GHSA-ggmr-44cv-24pm (Advisory)
Frequently Asked Questions
What is CVE-2021-43811?
CVE-2021-43811 is a vulnerability in Sockeye, an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch.
How does CVE-2021-43811 affect Sockeye?
CVE-2021-43811 affects versions of Sockeye below 2.3.24 and allows an attacker to execute arbitrary code embedded in config files.
What is the severity of CVE-2021-43811?
The severity of CVE-2021-43811 is high with a score of 7.8.
How can I fix CVE-2021-43811?
To fix CVE-2021-43811, update Sockeye to version 2.3.24 or above.
Where can I find more information about CVE-2021-43811?
More information about CVE-2021-43811 can be found in the following references: - [GitHub Pull Request](https://github.com/awslabs/sockeye/pull/964) - [Sockeye Release 2.3.24](https://github.com/awslabs/sockeye/releases/tag/2.3.24) - [Sockeye Security Advisories](https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pm)
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/weakness
- agent/title
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ggmr-44cv-24pm
- alias/CVE-2021-43811
- agent/software-canonical-lookup
- agent/author
- agent/last-modified-date
- agent/references
- agent/tags
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- vendor/amazon
- canonical/amazon sockeye
- package-manager/pip