CVE-2022-21797
Arbitrary Code Execution
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
| Vendor | n/a |
| Product | joblib |
| Published | Sep 26, 2022 |
| Last Updated | Sep 17, 2024 |
Stay Ahead of the Next One
Get instant alerts for n/a joblib
Be the first to know when new high vulnerabilities affecting n/a joblib are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
n/a / joblib
0 < unspecified unspecified < 1.2.0
References
security.snyk.io: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033 github.com: https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 github.com: https://github.com/joblib/joblib/issues/1128 github.com: https://github.com/joblib/joblib/pull/1321 lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/ lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html security.gentoo.org: https://security.gentoo.org/glsa/202401-01
Credits
Jim Lin