VDB
KO

PYSEC-2022-232

Details

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nvflare
Introduced in: 0 Fixed in: 2.1.2
Fix pip install --upgrade 'nvflare>=2.1.2'

References