joblib is vulnerable to arbitrary code execution. The vulnerability exists in _batched_calls_reducer_callback
function of parallel.py
via the pre_dispatched flag in Parallel() class due to the eval() statement. When the attacker enters a statement in the flag pre_dispatch it will run whatever the attacker wants to run.
CPE | Name | Operator | Version |
---|---|---|---|
joblib | eq | 0.13.2 | |
joblib | le | 0.13.1 | |
joblib | le | 1.1.0 | |
joblib | le | 0.14.1 | |
py3-joblib | eq | 1.0.1-r1 | |
py3-joblib | eq | 1.0.1-r3 | |
py3-joblib | eq | 0.14.1-r0 | |
py3-joblib | eq | 1.0.1-r2 | |
py3-joblib | eq | 1.0.1-r0 | |
py3-joblib | eq | 0.15.1-r0 |
github.com/advisories/GHSA-6hrg-qmvc-2xh8
github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
github.com/joblib/joblib/issues/1128
github.com/joblib/joblib/pull/1321
lists.debian.org/debian-lts-announce/2022/11/msg00020.html
lists.debian.org/debian-lts-announce/2023/03/msg00027.html
lists.fedoraproject.org/archives/list/[email protected]/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
lists.fedoraproject.org/archives/list/[email protected]/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/