CVE-2022-21797: joblib vulnerable to arbitrary code execution
(updated )
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
References
- github.com/advisories/GHSA-6hrg-qmvc-2xh8
- github.com/joblib/joblib
- github.com/joblib/joblib/commit/6638b9e9711ad1ebbf6dd95aa7cee0dca9897b42
- github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- github.com/joblib/joblib/issues/1128
- github.com/joblib/joblib/pull/1321
- github.com/joblib/joblib/pull/1327
- github.com/joblib/joblib/pull/1352
- github.com/pypa/advisory-database/tree/main/vulns/joblib/PYSEC-2022-288.yaml
- lists.debian.org/debian-lts-announce/2022/11/msg00020.html
- lists.debian.org/debian-lts-announce/2023/03/msg00027.html
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- nvd.nist.gov/vuln/detail/CVE-2022-21797
- security.gentoo.org/glsa/202401-01
- security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Detect and mitigate CVE-2022-21797 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →