Vulnerabilities > CVE-2021-24040 - Deserialization of Untrusted Data vulnerability in Facebook Parlai
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 |
Common Weakness Enumeration (CWE)
References
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- http://packetstormsecurity.com/files/164136/Facebook-ParlAI-1.0.0-Code-Execution-Deserialization.html
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg