The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
References
Link | Resource |
---|---|
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 | Patch Third Party Advisory |
https://github.com/joblib/joblib/issues/1128 | Exploit Issue Tracking Third Party Advisory |
https://github.com/joblib/joblib/pull/1321 | Issue Tracking Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/ | |
https://security.gentoo.org/glsa/202401-01 | |
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033 | Exploit Issue Tracking Patch Third Party Advisory |
Configurations
History
23 Aug 2024, 15:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
02 Jan 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Nov 2023, 03:43
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2022-09-26 05:15
Updated : 2024-08-23 15:35
NVD link : CVE-2022-21797
Mitre link : CVE-2022-21797
CVE.ORG link : CVE-2022-21797
JSON object : View
Products Affected
joblib_project
- joblib
fedoraproject
- fedora
debian
- debian_linux
CWE