PYSEC-2022-232

Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2022-232.yaml
Aliases
Published
2022-07-01T18:15:00Z
Modified
2023-11-08T04:09:31.225389Z
Details

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

References

Affected packages

PyPI / nvflare

Package

Name
nvflare

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.1.2

Affected versions

0.*

0.1.3
0.9.0

1.*

1.0.0
1.0.1
1.0.2
1.1.0
1.1.1

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.18
2.0.19
2.1.0
2.1.1