We use cookies to improve your experience on our site.
AVID-2026-R0719
Description
Deserialization of Untrusted Data (CVE-2021-23338)
Details
This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.
Reason for inclusion in AVID: CVE-2021-23338 describes unsafe YAML deserialization in the qlib package, a library used in AI/ML workflows. This is a software vulnerability in a dependency used to build/run AI systems, affecting the software supply chain for general-purpose AI systems. It involves deserialization (security/safety vuln) with network-based access and potential impact on confidentiality, integrity, and availability. The report provides explicit details (unsafe YAML load function in CLI; qlib affected), offering sufficient evidence.
References
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | qlib |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C |
| Base Score | 6.6 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🔴 High |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-02-15
- Version: 0.3.3
- AVID Entry