Skip to content

Unsafe yaml deserialization in autogluon.multimodal

High
gradientsky published GHSA-6h2x-4gjf-jc5w Sep 21, 2022

Package

autogluon-inference (Deep Learning Containers)

Affected versions

>=0.4.0;<0.4.3

Patched versions

0.4.3, 0.5.2
autogluon-training (Deep Learning Containers)
>=0.4.0;<0.4.3
0.4.3, 0.5.2
pip autogluon.multimodal (pip)
>=0.4.0;<0.4.3, >=0.5.0;<0.5.2
0.4.3, 0.5.2

Description

Impact

A potential unsafe deserialization issue exists within the autogluon.multimodal module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity.

Impacted versions: >=0.4.0;<0.4.3, >=0.5.0;<0.5.2.

Patches

The patches are included in autogluon.multimodal==0.4.3, autogluon.multimodal==0.5.2 and Deep Learning Containers 0.4.3 and 0.5.2.

Workarounds

Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust.

References

Severity

High

CVE ID

No known CVE

Weaknesses

Credits