Vulnerability Description
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parlai | < 1.1.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-ExecutionExploitThird Party AdvisoryVDB Entry
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0Release NotesThird Party Advisory
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mPatchThird Party Advisory
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-ExecutionExploitThird Party AdvisoryVDB Entry
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0Release NotesThird Party Advisory
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mPatchThird Party Advisory
FAQ
What is CVE-2021-24040?
CVE-2021-24040 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risk...
How severe is CVE-2021-24040?
CVE-2021-24040 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24040?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Parlai.