GHSA-hjr4-fhgp-23g9

Source

https://github.com/advisories/GHSA-hjr4-fhgp-23g9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hjr4-fhgp-23g9/GHSA-hjr4-fhgp-23g9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hjr4-fhgp-23g9

Aliases

CVE-2021-23338
PYSEC-2021-86
SNYK-PYTHON-QLIB-1054635

Published

2022-05-24T17:42:16Z

Modified

2024-10-14T18:38:35.640542Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

qlib Deserialization of Untrusted Data vulnerability

Details

This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-502",
        "CWE-94"
    ],
    "nvd_published_at": "2021-02-15T16:15:00Z",
    "github_reviewed_at": "2024-04-29T11:02:15Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / pyqlib

Package

Name: pyqlib; View open source insights on deps.dev
Purl: pkg:pypi/pyqlib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.0

Affected versions

0.*

0.5.0.dev7

0.5.0.dev8

0.5.0.dev9

0.5.0.dev10

0.5.1.dev0

0.5.1

0.6.0

0.6.1

0.6.2