CVE-2021-43811

EPSS 8.72%
Published 08.12.2021 23:15:08
Last modified 21.11.2024 06:29:50
Source security-advisories@github.com
Teams watchlist Login
Open Login

Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Amazon ≫ Sockeye SwPlatformpython Version < 2.3.24

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	8.72%	0.921

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security-advisories@github.com	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/awslabs/sockeye/pull/964

Patch

Third Party Advisory

https://github.com/awslabs/sockeye/releases/tag/2.3.24

Third Party Advisory

Release Notes

https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pm

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-43811

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-43811

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-43811

EUVD