CVE-2022-21797

NameCVE-2022-21797
DescriptionThe package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3193-2
Debian Bugs1020820

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
joblib (PTS)bullseye0.17.0-4+deb11u1fixed
bookworm1.2.0-4+deb12u1fixed
trixie1.4.2-4fixed
forky, sid1.4.2-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
joblibsourcebuster0.13.0-2+deb10u2DLA-3193-2
joblibsourcebullseye0.17.0-4+deb11u1
joblibsource(unstable)1.2.0-11020820

Notes

https://github.com/joblib/joblib/issues/1128
https://github.com/joblib/joblib/pull/1321
Better fix: https://github.com/joblib/joblib/pull/1327
Fixed by: https://github.com/joblib/joblib/commit/54f4d21f098591c77b48c9acfffaa4cf0a45282b (1.2.0)
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Search for package or bug name: Reporting problems