Vulnerability Description
Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Sockeye | < 2.3.24 |
Related Weaknesses (CWE)
References
- https://github.com/awslabs/sockeye/pull/964PatchThird Party Advisory
- https://github.com/awslabs/sockeye/releases/tag/2.3.24Release NotesThird Party Advisory
- https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pmThird Party Advisory
- https://github.com/awslabs/sockeye/pull/964PatchThird Party Advisory
- https://github.com/awslabs/sockeye/releases/tag/2.3.24Release NotesThird Party Advisory
- https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pmThird Party Advisory
FAQ
What is CVE-2021-43811?
CVE-2021-43811 is a vulnerability with a CVSS score of 7.8 (HIGH). Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use un...
How severe is CVE-2021-43811?
CVE-2021-43811 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43811?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Sockeye.