Headline
GHSA-6h2x-4gjf-jc5w: autogluon.multimodal vulnerable to unsafe YAML deserialization
Impact
A potential unsafe deserialization issue exists within the autogluon.multimodal module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity.
Impacted versions: >=0.4.0;<0.4.3, >=0.5.0;<0.5.2.
Patches
The patches are included in autogluon.multimodal==0.4.3, autogluon.multimodal==0.5.2 and Deep Learning Containers 0.4.3 and 0.5.2.
Workarounds
Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust.
References
- https://cwe.mitre.org/data/definitions/502.html
- https://www.cvedetails.com/cve/CVE-2017-18342/
Impact
A potential unsafe deserialization issue exists within the autogluon.multimodal module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity.
Impacted versions: >=0.4.0;<0.4.3, >=0.5.0;<0.5.2.
Patches
The patches are included in autogluon.multimodal==0.4.3, autogluon.multimodal==0.5.2 and Deep Learning Containers 0.4.3 and 0.5.2.
Workarounds
Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust.
References
- https://cwe.mitre.org/data/definitions/502.html
- https://www.cvedetails.com/cve/CVE-2017-18342/
References
- GHSA-6h2x-4gjf-jc5w
- awslabs/autogluon#1987
- awslabs/autogluon@23a37e7