CVE-2022-21797

Name
CVE-2022-21797
Description
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
CONFIRM https://github.com/joblib/joblib/issues/1128
CONFIRM https://github.com/joblib/joblib/pull/1321
CONFIRM https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
MLIST https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
Mailing List https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
report@snyk.io https://security.gentoo.org/glsa/202401-01

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:* py3-joblib >= None < 1.2.0
cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:* py3-joblib >= None < 1.1.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-joblib 3.16-community 1.0.1-r3 Bart Ribbers <bribbers@disroot.org> possibly vulnerable
py3-joblib 3.17-community 1.2.0-r0 Bart Ribbers <bribbers@disroot.org> fixed