9.8

CVE-2021-24040

Exploit
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FacebookParlai Version < 1.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 17.35% 0.967
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
Third Party Advisory
Exploit
VDB Entry
https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
Third Party Advisory
Release Notes
https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
Patch
Third Party Advisory