CVE-2021-42343

Name
CVE-2021-42343
Description
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/dask/dask/releases
MISC https://docs.dask.org/en/latest/changelog.html
MISC https://github.com/dask/dask/tags
CONFIRM https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:* py3-dask >= None <= 2021.09.1
cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:* py3-dask >= None < 2021.10.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-dask 3.15-community 2021.7.0-r0 Bart Ribbers <bribbers@disroot.org> possibly vulnerable
py3-dask 3.16-community 2022.2.0-r0 Bart Ribbers <bribbers@disroot.org> fixed