GitHub Advisory DatabaseGHSA-6HRG-QMVC-2XH8joblib vulnerable to arbitrary code execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
75.0%
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Affected configurations
References
github.com/advisories/GHSA-6hrg-qmvc-2xh8
github.com/joblib/joblib/commit/6638b9e9711ad1ebbf6dd95aa7cee0dca9897b42
github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
github.com/joblib/joblib/issues/1128
github.com/joblib/joblib/pull/1321
github.com/joblib/joblib/pull/1327
github.com/joblib/joblib/pull/1352
github.com/pypa/advisory-database/tree/main/vulns/joblib/PYSEC-2022-288.yaml
lists.debian.org/debian-lts-announce/2022/11/msg00020.html
lists.debian.org/debian-lts-announce/2023/03/msg00027.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
lists.fedoraproject.org/archives/list/[email protected]/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
lists.fedoraproject.org/archives/list/[email protected]/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
nvd.nist.gov/vuln/detail/CVE-2022-21797
security.gentoo.org/glsa/202401-01
security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
75.0%