CVE-2022-21797

Опубликовано: 26 сент. 2022

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

EPSS Низкий

Описание

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Ссылки

https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
Patch
Third Party Advisory
https://github.com/joblib/joblib/issues/1128
Exploit
Issue Tracking
Third Party Advisory
https://github.com/joblib/joblib/pull/1321
Issue Tracking
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
https://security.gentoo.org/glsa/202401-01
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Exploit
Issue Tracking
Patch
Third Party Advisory
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
Patch
Third Party Advisory
https://github.com/joblib/joblib/issues/1128
Exploit
Issue Tracking
Third Party Advisory
https://github.com/joblib/joblib/pull/1321
Issue Tracking
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
https://security.gentoo.org/glsa/202401-01
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Exploit
Issue Tracking
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*

Версия до 1.1.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 45%

0.00222

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-94

Связанные уязвимости

CVE-2022-21797

CVSS3: 7.3

ubuntu

больше 3 лет назад

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

CVE-2022-21797

CVSS3: 7.3

debian

больше 3 лет назад

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary ...

openSUSE-SU-2022:10214-1

suse-cvrf

около 3 лет назад

Security update for python-joblib

GHSA-6hrg-qmvc-2xh8

CVSS3: 9.8

github

больше 3 лет назад

joblib vulnerable to arbitrary code execution

EPSS

Процентиль: 45%

0.00222

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-94