Software: [https://github.com/pytorchlightning/pytorch-lightning)
Vulnerability: Insecure Yaml Deserialization
CVE: CVE-2021-4118
Description of the product:
Lightning disentangles PyTorch code to decouple the science from the engineering.
Summary:
There is untrusted YAML Deserialization vulnerability on PyTorchLightning Github repository. PyTorchLightning’s saving.py (core.saving.load_hparams_from_yaml) functionality is calling “yaml.UnsafeLoader” from pyyaml Python library which is not secure method. Because of that, maliciously crafted yaml config file can cause code execution on the victim’s machine.
Fix: