GoogleOSV:GHSA-6HRG-QMVC-2XH8joblib vulnerable to arbitrary code execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
75.0%
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
References
github.com/joblib/joblib
github.com/joblib/joblib/commit/6638b9e9711ad1ebbf6dd95aa7cee0dca9897b42
github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
github.com/joblib/joblib/issues/1128
github.com/joblib/joblib/pull/1321
github.com/joblib/joblib/pull/1327
github.com/joblib/joblib/pull/1352
github.com/pypa/advisory-database/tree/main/vulns/joblib/PYSEC-2022-288.yaml
lists.debian.org/debian-lts-announce/2022/11/msg00020.html
lists.debian.org/debian-lts-announce/2023/03/msg00027.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
lists.fedoraproject.org/archives/list/[email protected]/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
lists.fedoraproject.org/archives/list/[email protected]/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
nvd.nist.gov/vuln/detail/CVE-2022-21797
security.gentoo.org/glsa/202401-01
security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
75.0%