GHSA-6hrg-qmvc-2xh8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6hrg-qmvc-2xh8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-6hrg-qmvc-2xh8/GHSA-6hrg-qmvc-2xh8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6hrg-qmvc-2xh8
- Aliases
- Published
- 2022-09-27T00:00:22Z
- Modified
- 2024-09-23T19:53:06.419106Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- joblib vulnerable to arbitrary code execution
- Details
-
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the
pre_dispatchflag inParallel()class due to theeval()statement. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-21797
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://github.com/joblib/joblib/pull/1327
- https://github.com/joblib/joblib/pull/1352
- https://github.com/joblib/joblib/commit/6638b9e9711ad1ebbf6dd95aa7cee0dca9897b42
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://security.gentoo.org/glsa/202401-01
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
- https://github.com/pypa/advisory-database/tree/main/vulns/joblib/PYSEC-2022-288.yaml
- https://github.com/joblib/joblib
Affected packages
PyPI / joblib
Package
- Name
- joblib
- View open source insights on deps.dev
- Purl
- pkg:pypi/joblib
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.0
Affected versions
0.*
0.3.2d.dev
0.3.2d
0.3.2e.dev
0.3.2f.dev
0.3.2f
0.3.2g.dev
0.7.0d
0.1a.dev
0.1a
0.2a.dev
0.3a.dev
0.3.1a.dev
0.3.2.dev
0.3.2a.dev
0.3.2b.dev
0.3.2c.dev
0.3.3a.dev
0.3.3b.dev
0.3.3c.dev
0.3.4.dev
0.3.5.dev
0.3.6.dev
0.3.7.dev
0.4.0.dev
0.4.1.dev
0.4.2.dev
0.4.3.dev
0.4.4.dev
0.4.5.dev
0.4.6.dev
0.5.0.dev
0.5.0a.dev
0.5.1.dev
0.5.2.dev
0.5.3.dev
0.5.4.dev
0.5.5.dev
0.5.6.dev
0.5.7.dev
0.5.7a.dev
0.5.7a
0.5.7b.dev
0.5.7
0.6.0a
0.6.0b
0.6.0b2
0.6.0b3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0a
0.7.0b
0.7.0c
0.7.1
0.8.0a
0.8.0a2
0.8.0a3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.3-r1
0.8.4
0.9.0b2
0.9.0b3
0.9.0b4
0.9.1
0.9.2
0.9.3
0.9.4
0.10.0
0.10.2
0.10.3
0.11a3
0.11
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.13.0
0.13.1
0.13.2
0.14.0
0.14.1
0.15.0
0.15.1
0.16.0
0.17.0
1.*
1.0.0
1.0.1
1.1.0a0
1.1.0
1.1.1