CVE-2021-41127

描述

Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.

如何修補 CVE-2021-41127

要修補 CVE-2021-41127,請將受影響套件升級到下列已修補版本。

• —升級至 2.8.10 或更新版本
• —升級至 1b6b502f52d73b4f8cd1959ce724b8ad0eb33989 或更新版本

CVE-2021-41127 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(2)

• from 0, < 2.8.10
• from 0, < 1b6b502f52d73b4f8cd1959ce724b8ad0eb33989 | from 0, < 2.8.10

CVSS 分數

參考連結(4)

• PATCHgithub.com/RasaHQ/rasa
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/rasa/PYSEC-2021-381.yaml
• WEBgithub.com/RasaHQ/rasa/commit/1b6b502f52d73b4f8cd1959ce724b8ad0eb33989
• WEBgithub.com/RasaHQ/rasa/security/advisories/GHSA-4365-fhm5-qcrx