CVE-2022-21797

Name

CVE-2022-21797

Description

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
CONFIRM	https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
CONFIRM	https://github.com/joblib/joblib/issues/1128
CONFIRM	https://github.com/joblib/joblib/pull/1321
CONFIRM	https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
MLIST	https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
Mailing List	https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
report@snyk.io	https://security.gentoo.org/glsa/202401-01

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:joblib_project:joblib::::::python::*`	py3-joblib	>= None	< 1.2.0
`cpe:2.3:a:joblib_project:joblib::::::python::*`	py3-joblib	>= None	< 1.1.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-joblib	3.16-community	1.0.1-r3	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable
py3-joblib	3.17-community	1.2.0-r0	Bart Ribbers <bribbers@disroot.org>	fixed