CVE-2022-21797 - Vulnerability Details - OpenCVE

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00191.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Joblib Project	Joblib

Configuration 1 [-]

cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
https://github.com/joblib/joblib/issues/1128
https://github.com/joblib/joblib/pull/1321
https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/
https://security.gentoo.org/glsa/202401-01
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033

History

Fri, 23 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-09-26T05:05:17.410454Z

Updated: 2024-09-17T04:24:12.503Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21797

Vulnrichment

Updated: 2024-08-03T02:53:36.168Z

NVD

Status : Modified

Published: 2022-09-26T05:15:10.427

Modified: 2024-11-21T06:45:27.223

Link: CVE-2022-21797

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21797", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-17T04:24:12.503Z", "dateReserved": "2022-02-24T00:00:00", "datePublished": "2022-09-26T05:05:17.410454Z"}, "containers": {"cna": {"title": "Arbitrary Code Execution", "datePublic": "2022-09-26T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-01-02T16:06:09.733923"}, "descriptions": [{"lang": "en", "value": "The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement."}], "affected": [{"vendor": "n/a", "product": "joblib", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "1.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}, {"url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"url": "https://github.com/joblib/joblib/issues/1128"}, {"url": "https://github.com/joblib/joblib/pull/1321"}, {"name": "FEDORA-2022-c0bfe37ae5", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"name": "FEDORA-2022-c83ce1c000", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"name": "[debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"name": "GLSA-202401-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-01"}], "credits": [{"lang": "en", "value": "Jim Lin"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 7.3, "temporalScore": 6.9, "baseSeverity": "HIGH", "temporalSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Arbitrary Code Execution"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:36.168Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/issues/1128", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/pull/1321", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-c0bfe37ae5", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"name": "FEDORA-2022-c83ce1c000", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"name": "[debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"name": "GLSA-202401-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-01"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "36", "status": "affected"}]}, {"vendor": "debian", "product": "debian_linux", "cpes": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10.0", "status": "affected"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "37", "status": "affected"}]}, {"vendor": "joblib_project", "product": "joblib", "cpes": ["cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-23T03:55:38.496202Z", "id": "CVE-2022-21797", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T14:49:09.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/issues/1128", "tags": ["x_transferred"]}, {"url": "https://github.com/joblib/joblib/pull/1321", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/", "name": "FEDORA-2022-c0bfe37ae5", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/", "name": "FEDORA-2022-c83ce1c000", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html", "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html", "name": "[debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-01", "name": "GLSA-202401-01", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:36.168Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21797", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-23T03:55:38.496202Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "36"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"], "vendor": "debian", "product": "debian_linux", "versions": [{"status": "affected", "version": "10.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "37"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*"], "vendor": "joblib_project", "product": "joblib", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T14:43:46.836Z"}}], "cna": {"title": "Arbitrary Code Execution", "credits": [{"lang": "en", "value": "Jim Lin"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "temporalScore": 6.9, "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "joblib", "versions": [{"status": "affected", "version": "0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "1.2.0", "versionType": "custom"}]}], "datePublic": "2022-09-26T00:00:00", "references": [{"url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}, {"url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"url": "https://github.com/joblib/joblib/issues/1128"}, {"url": "https://github.com/joblib/joblib/pull/1321"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/", "name": "FEDORA-2022-c0bfe37ae5", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/", "name": "FEDORA-2022-c83ce1c000", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html", "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update", "tags": ["mailing-list"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html", "name": "[debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update", "tags": ["mailing-list"]}, {"url": "https://security.gentoo.org/glsa/202401-01", "name": "GLSA-202401-01", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Arbitrary Code Execution"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-01-02T16:06:09.733923"}}}, "cveMetadata": {"cveId": "CVE-2022-21797", "state": "PUBLISHED", "dateUpdated": "2024-09-17T04:24:12.503Z", "dateReserved": "2022-02-24T00:00:00", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2022-09-26T05:05:17.410454Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joblib_project:joblib:*:*:*:*:*:python:*:*", "matchCriteriaId": "50D353B2-3D1D-47D8-9590-1BAB36CFC87C", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement."}, {"lang": "es", "value": "El paquete joblib versiones a partir de 0 anteriores a 1.2.0, son vulnerables a una Ejecuci\u00f3n de C\u00f3digo Arbitraria por medio del flag pre_dispatch en la clase Parallel() debido a la sentencia eval().\n"}], "id": "CVE-2022-21797", "lastModified": "2024-11-21T06:45:27.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-26T05:15:10.427", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/issues/1128"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/pull/1321"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"source": "report@snyk.io", "url": "https://security.gentoo.org/glsa/202401-01"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/issues/1128"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/joblib/joblib/pull/1321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202401-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}