CVE-2021-23338: qlib Deserialization of Untrusted Data vulnerability

May 24, 2022 (updated October 14, 2024)

This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.

References

github.com/418sec/huntr/pull/1329
github.com/advisories/GHSA-hjr4-fhgp-23g9
github.com/microsoft/qlib
github.com/pypa/advisory-database/tree/main/vulns/pyqlib/PYSEC-2021-86.yaml
nvd.nist.gov/vuln/detail/CVE-2021-23338
security.snyk.io/vuln/SNYK-PYTHON-PYQLIB-1085990
snyk.io/vuln/SNYK-PYTHON-QLIB-1054635

Code Behaviors & Features

Detect and mitigate CVE-2021-23338 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →