Impact A potential unsafe deserialization issue exists within the "autogluon.multimodal" module, where YAML files are loaded via "yaml.load()" instead of "yaml.safe_load()". The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity. Impacted versions: ">=0.4.0;<0.4.3", ">=0.5.0;<0.5.2". Patches The patches are included in "autogluon.multimodal==0.4.3", "autogluon.multimodal==0.5.2" and Deep Learning Containers "0.4.3" and "0.5.2". Workarounds Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust. References * https://cwe.mitre.org/data/definitions/502.html * https://www.cvedetails.com/cve/CVE-2017-18342/