CVE-2022-21797

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

References

Affected packages

Debian:11 / joblib

Package

Name: joblib
Purl: pkg:deb/debian/joblib?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.17.0-4+deb11u1

Affected versions

0.*

0.17.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / joblib

Package

Name: joblib
Purl: pkg:deb/debian/joblib?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / joblib

Package

Name: joblib
Purl: pkg:deb/debian/joblib?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/joblib/joblib

Affected ranges

Type: GIT
Repo: https://github.com/joblib/joblib
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b90f10efeb670a2cc877fb88ebb3f2019189e059

Fixed

b90f10efeb670a2cc877fb88ebb3f2019189e059

Affected versions

0.*

0.10.0

0.10.2

0.11

0.12

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.13.0

0.13.1

0.13.2

0.14.0

0.14.1

0.15.0

0.15.1

0.16.0

0.17.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.5.0

0.5.1

0.5.3

0.5.4

0.5.7

0.6.0

0.6.0.b

0.6.0.b2

0.6.0.b3

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.7.0c

0.7.0d

0.7.1

0.8.0

0.8.0a2

0.8.0a3

0.8.1

0.8.2

0.8.3

0.8.3-r1

0.8.4

0.9.0

0.9.0b2

0.9.0b3

0.9.0b4

0.9.1

0.9.2

0.9.3

0.9.4

1.*

1.0.0

1.0.1

1.1.0