CVE-2022-21797 - OpenCVE

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Joblib Project	Joblib
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059	Patch Third Party Advisory
https://github.com/joblib/joblib/issues/1128	Exploit Issue Tracking Third Party Advisory
https://github.com/joblib/joblib/pull/1321	Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
https://security.gentoo.org/glsa/202401-01
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033	Exploit Issue Tracking Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-09-26T00:00:00

Updated: 2024-01-02T16:06:09.733923

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21797

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-26T05:15:10.427

Modified: 2024-01-02T16:15:11.413

Link: CVE-2022-21797

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21797", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-01-02T16:06:09.733923", "dateReserved": "2022-02-24T00:00:00", "datePublished": "2022-09-26T00:00:00"}, "containers": {"cna": {"title": "Arbitrary Code Execution", "datePublic": "2022-09-26T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-01-02T16:06:09.733923"}, "descriptions": [{"lang": "en", "value": "The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement."}], "affected": [{"vendor": "n/a", "product": "joblib", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "1.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}, {"url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"url": "https://github.com/joblib/joblib/issues/1128"}, {"url": "https://github.com/joblib/joblib/pull/1321"}, {"name": "FEDORA-2022-c0bfe37ae5", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"name": "FEDORA-2022-c83ce1c000", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"name": "[debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"name": "GLSA-202401-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-01"}], "credits": [{"lang": "en", "value": "Jim Lin"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 7.3, "temporalScore": 6.9, "baseSeverity": "HIGH", "temporalSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Arbitrary Code Execution"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*", "matchCriteriaId": "50D353B2-3D1D-47D8-9590-1BAB36CFC87C", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement."}, {"lang": "es", "value": "El paquete joblib versiones a partir de 0 anteriores a 1.2.0, son vulnerables a una Ejecuci\u00f3n de C\u00f3digo Arbitraria por medio del flag pre_dispatch en la clase Parallel() debido a la sentencia eval().\n"}], "id": "CVE-2022-21797", "lastModified": "2024-01-02T16:15:11.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-09-26T05:15:10.427", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/issues/1128"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/pull/1321"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"source": "report@snyk.io", "url": "https://security.gentoo.org/glsa/202401-01"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}