CVE-2021-42343

Name

CVE-2021-42343

Description

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/dask/dask/releases
MISC	https://docs.dask.org/en/latest/changelog.html
MISC	https://github.com/dask/dask/tags
CONFIRM	https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:anaconda:dask::::::python::*`	py3-dask	>= None	<= 2021.09.1
`cpe:2.3:a:anaconda:dask::::::python::*`	py3-dask	>= None	< 2021.10.0

Source package	Branch	Version	Maintainer	Status
py3-dask	3.15-community	2021.7.0-r0	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable
py3-dask	3.16-community	2022.2.0-r0	Bart Ribbers <bribbers@disroot.org>	fixed

References

Match rules

Vulnerable and fixed packages