CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
76.7%
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code
Execution via the pre_dispatch flag in Parallel() class due to the eval()
statement.
Author | Note |
---|---|
ccdm94 | pull request 1321 (commit b90f10e) seems to have been considered an incomplete fix by upstream, and for that reason, PR 1327 (commit 54f4d21) was opened as well in an attempt to completely fix the issue. |
github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
github.com/joblib/joblib/issues/1128
github.com/joblib/joblib/pull/1321
launchpad.net/bugs/cve/CVE-2022-21797
nvd.nist.gov/vuln/detail/CVE-2022-21797
security-tracker.debian.org/tracker/CVE-2022-21797
security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
www.cve.org/CVERecord?id=CVE-2022-21797