{"id":"CVE-2022-31605","details":"NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.","aliases":["GHSA-hrf3-622q-8366","PYSEC-2022-232"],"modified":"2026-03-13T22:14:21.256073Z","published":"2022-07-01T18:15:08.837Z","related":["GHSA-hrf3-622q-8366"],"references":[{"type":"ADVISORY","url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nvidia/nvflare","events":[{"introduced":"0"},{"fixed":"2b6e1b1e2e0da8636e636289e92266c42e3e6483"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.2"}]}}],"versions":["2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.0","2.1.0a1","2.1.0a2","2.1.0rc1","2.1.0rc2","2.1.0rc3","2.1.0rc4","2.1.0rc5","2.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31605.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}