PyPI: joblib
CVE-2022-21797
Safety vulnerability ID: SFTY-20220926-34155
Safety legacy ID: pyup.io-51242
Affected versions of Joblib are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Overview
joblib vulnerable to arbitrary code execution
Advisory
Affected versions of Joblib are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
How to Fix
Upgrade
joblib
to1.2.0
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20220926-34155/CVE-2022-21797
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://nvd.nist.gov/vuln/detail/CVE-2022-21797
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
- https://github.com/joblib/joblib/pull/1327
- https://github.com/joblib/joblib/pull/1352
- https://github.com/joblib/joblib/commit/6638b9e9711ad1ebbf6dd95aa7cee0dca9897b42
- https://github.com/pypa/advisory-database/tree/main/vulns/joblib/PYSEC-2022-288.yaml
- https://security.gentoo.org/glsa/202401-01
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF
- https://github.com/advisories/GHSA-6hrg-qmvc-2xh8
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more