{"id":"PYSEC-2022-232","details":"NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.","aliases":["CVE-2022-31605","GHSA-hrf3-622q-8366"],"modified":"2023-11-08T04:09:31.225389Z","published":"2022-07-01T18:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"}],"affected":[{"package":{"name":"nvflare","ecosystem":"PyPI","purl":"pkg:pypi/nvflare"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.2"}]}],"versions":["0.1.3","0.9.0","1.0.0","1.0.1","1.0.2","1.1.0","1.1.1","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.14","2.0.15","2.0.16","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.0.18","2.0.19"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2022-232.yaml"}}],"schema_version":"1.7.3"}