CVE-2022-21797

NameCVE-2022-21797
DescriptionThe package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3193-2, ELA-823-1
Debian Bugs1020820

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
joblib (PTS)jessie, jessie (lts)0.8.3-1+deb8u1fixed
stretch (lts), stretch0.10.3+git55-g660fe5d-1+deb9u1fixed
buster (security), buster, buster (lts)0.13.0-2+deb10u2fixed
bullseye0.17.0-4+deb11u1fixed
bookworm1.2.0-4fixed
sid, trixie1.3.2-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
joblibsourcejessie0.8.3-1+deb8u1ELA-823-1
joblibsourcestretch0.10.3+git55-g660fe5d-1+deb9u1ELA-823-1
joblibsourcebuster0.13.0-2+deb10u2DLA-3193-2
joblibsourcebullseye0.17.0-4+deb11u1
joblibsource(unstable)1.2.0-11020820

Notes

https://github.com/joblib/joblib/issues/1128
https://github.com/joblib/joblib/pull/1321
Better fix: https://github.com/joblib/joblib/pull/1327
Fixed by: https://github.com/joblib/joblib/commit/54f4d21f098591c77b48c9acfffaa4cf0a45282b (1.2.0)
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Search for package or bug name: Reporting problems