Home > Vulnerability Database > CVE-2021-24040

Mend.io Vulnerability Database

CVE-2021-24040

Good to know:

Date: September 10, 2021

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

Language: Python

Severity Score

9.8

Related Resources (10)

Url: https://github.com/facebookresearch/ParlAI/pull/3429

Url: https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879

Url: https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0

Url: https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg

Url: http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html

Url: https://github.com/facebookresearch/ParlAI/pull/3402

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-24040

Url: https://github.com/facebookresearch/ParlAI

Url: https://github.com/advisories/GHSA-mwgj-7x7j-6966

Url: https://www.mend.io/vulnerability-database/CVE-2021-24040

Severity Score

9.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version parlai - 1.1.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-24040

Good to know:

Date: September 10, 2021

Language: Python

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?