{ "schema_version": "1.4.0", "id": "GHSA-6h2x-4gjf-jc5w", "modified": "2022-09-21T21:42:05Z", "published": "2022-09-21T21:42:05Z", "aliases": [], "summary": "autogluon.multimodal vulnerable to unsafe YAML deserialization", "details": "### Impact\n\nA potential unsafe deserialization issue exists within the `autogluon.multimodal` module, where YAML files are loaded via `yaml.load()` instead of `yaml.safe_load()`. The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity.\n\nImpacted versions: `>=0.4.0;<0.4.3`, `>=0.5.0;<0.5.2`.\n\n### Patches\nThe patches are included in `autogluon.multimodal==0.4.3`, `autogluon.multimodal==0.5.2` and Deep Learning Containers `0.4.3` and `0.5.2`.\n\n### Workarounds\nDo not load data which originated from an untrusted source, or that could have been tampered with. **Only load data you trust.**\n\n### References\n* https://cwe.mitre.org/data/definitions/502.html\n* https://www.cvedetails.com/cve/CVE-2017-18342/\n", "severity": [], "affected": [ { "package": { "ecosystem": "PyPI", "name": "autogluon.multimodal" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.4.0" }, { "fixed": "0.4.3" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "autogluon.multimodal" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.5.0" }, { "fixed": "0.5.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/awslabs/autogluon/security/advisories/GHSA-6h2x-4gjf-jc5w" }, { "type": "WEB", "url": "https://github.com/awslabs/autogluon/pull/1987" }, { "type": "WEB", "url": "https://github.com/awslabs/autogluon/commit/23a37e74e58d03055c84a1b89c5af6c3db296b5e" }, { "type": "PACKAGE", "url": "https://github.com/awslabs/autogluon" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-21T21:42:05Z", "nvd_published_at": null } }