Arbitrary Code Execution

2022-09-2707:29:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.004 Low

EPSS

Percentile

75.0%

JSON

joblib is vulnerable to arbitrary code execution. The vulnerability exists in _batched_calls_reducer_callback function of parallel.py via the pre_dispatched flag in Parallel() class due to the eval() statement. When the attacker enters a statement in the flag pre_dispatch it will run whatever the attacker wants to run.

CPENameOperatorVersion
joblibeq0.13.2
joblible0.13.1
joblible1.1.0
joblible0.14.1
py3-joblibeq1.0.1-r1
py3-joblibeq1.0.1-r3
py3-joblibeq0.14.1-r0
py3-joblibeq1.0.1-r2
py3-joblibeq1.0.1-r0
py3-joblibeq0.15.1-r0

Name	Operator	Version
joblib	eq	0.13.2
joblib	le	0.13.1
joblib	le	1.1.0
joblib	le	0.14.1
py3-joblib	eq	1.0.1-r1
py3-joblib	eq	1.0.1-r3
py3-joblib	eq	0.14.1-r0
py3-joblib	eq	1.0.1-r2
py3-joblib	eq	1.0.1-r0
py3-joblib	eq	0.15.1-r0