Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-42343 (GCVE-0-2021-42343)
Vulnerability from cvelistv5 – Published: 2021-10-26 10:23 – Updated: 2024-08-04 03:30
VLAI
EPSS
Summary
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Severity
9.8 (Critical)
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.dask.org/en/latest/changelog.html | x_refsource_MISC |
| https://github.com/dask/dask/tags | x_refsource_MISC |
| https://github.com/dask/distributed/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dask/dask/tags"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-05T07:15:23.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dask/dask/tags"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42343",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.dask.org/en/latest/changelog.html",
"refsource": "MISC",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"name": "https://github.com/dask/dask/tags",
"refsource": "MISC",
"url": "https://github.com/dask/dask/tags"
},
{
"name": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr",
"refsource": "CONFIRM",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42343",
"datePublished": "2021-10-26T10:23:26.000Z",
"dateReserved": "2021-10-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:30:38.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-42343",
"date": "2026-06-22",
"epss": "0.02876",
"percentile": "0.85003"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-42343\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-10-26T11:15:07.800\",\"lastModified\":\"2026-06-17T04:09:40.847\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en el paquete distribuido Dask antes de la versi\u00f3n 2021.10.0 para Python. Los cl\u00fasteres Dask de una sola m\u00e1quina iniciados con dask.distributed.LocalCluster o dask.distributed.Client (que utiliza por defecto LocalCluster) configuraban por error sus respectivos Dask workers para escuchar en interfaces externas (normalmente con un puerto alto seleccionado al azar) en lugar de hacerlo s\u00f3lo en localhost. Un cluster Dask creado con este m\u00e9todo (cuando se ejecuta en una m\u00e1quina que tiene un puerto aplicable expuesto) podr\u00eda ser utilizado por un atacante sofisticado para lograr la ejecuci\u00f3n remota de c\u00f3digo\"}],\"affected\":[{\"source\":\"cve@mitre.org\",\"affectedData\":[{\"vendor\":\"n/a\",\"product\":\"n/a\",\"versions\":[{\"version\":\"n/a\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"2021.10.0\",\"matchCriteriaId\":\"EAB5C365-AE34-4F7A-8462-10177750EDCE\"}]}]}],\"references\":[{\"url\":\"https://docs.dask.org/en/latest/changelog.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dask/dask/tags\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://docs.dask.org/en/latest/changelog.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dask/dask/tags\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
FKIE_CVE-2021-42343
Vulnerability from fkie_nvd - Published: 2021-10-26 11:15 - Updated: 2026-06-17 04:09
Severity
Summary
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://docs.dask.org/en/latest/changelog.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/dask/dask/tags | Third Party Advisory | |
| cve@mitre.org | https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.dask.org/en/latest/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dask/dask/tags | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr | Third Party Advisory |
{
"affected": [
{
"affectedData": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"source": "cve@mitre.org"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:*",
"matchCriteriaId": "EAB5C365-AE34-4F7A-8462-10177750EDCE",
"versionEndExcluding": "2021.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en el paquete distribuido Dask antes de la versi\u00f3n 2021.10.0 para Python. Los cl\u00fasteres Dask de una sola m\u00e1quina iniciados con dask.distributed.LocalCluster o dask.distributed.Client (que utiliza por defecto LocalCluster) configuraban por error sus respectivos Dask workers para escuchar en interfaces externas (normalmente con un puerto alto seleccionado al azar) en lugar de hacerlo s\u00f3lo en localhost. Un cluster Dask creado con este m\u00e9todo (cuando se ejecuta en una m\u00e1quina que tiene un puerto aplicable expuesto) podr\u00eda ser utilizado por un atacante sofisticado para lograr la ejecuci\u00f3n remota de c\u00f3digo"
}
],
"id": "CVE-2021-42343",
"lastModified": "2026-06-17T04:09:40.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-26T11:15:07.800",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/dask/tags"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/dask/tags"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-HWQR-F3V9-HWXR
Vulnerability from github – Published: 2022-07-15 21:56 – Updated: 2026-02-03 17:37
VLAI
Summary
Workers for local Dask clusters mistakenly listened on public interfaces
Details
Versions of distributed earlier than 2021.10.0 had a potential security vulnerability relating to single-machine Dask clusters.
Clusters started with dask.distributed.LocalCluster or dask.distributed.Client() (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than LocalCluster (e.g. dask_kubernetes.KubeCluster) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version 2021.10.0 (PR #5427).
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "distributed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-42343"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T21:56:08Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Versions of `distributed` earlier than `2021.10.0` had a potential security vulnerability relating to single-machine Dask clusters.\n\nClusters started with `dask.distributed.LocalCluster` or `dask.distributed.Client()` (which defaults to using `LocalCluster`) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on `localhost`. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than `LocalCluster` (e.g. `dask_kubernetes.KubeCluster`) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version `2021.10.0` (PR #5427).",
"id": "GHSA-hwqr-f3v9-hwxr",
"modified": "2026-02-03T17:37:34Z",
"published": "2022-07-15T21:56:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42343"
},
{
"type": "WEB",
"url": "https://github.com/dask/distributed/pull/5427"
},
{
"type": "WEB",
"url": "https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b"
},
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"type": "WEB",
"url": "https://github.com/dask/dask/tags"
},
{
"type": "PACKAGE",
"url": "https://github.com/dask/distributed"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-871.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-872.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Workers for local Dask clusters mistakenly listened on public interfaces"
}
GHSA-J8FQ-86C5-5V2R
Vulnerability from github – Published: 2021-10-27 18:53 – Updated: 2026-02-03 17:37
VLAI
Summary
Duplicate Advisory: Remote code execution in dask
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hwqr-f3v9-hwxr. This link is maintained to preserve external references.
Original Description
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dask"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-27T18:16:11Z",
"nvd_published_at": "2021-10-26T11:15:00Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hwqr-f3v9-hwxr. This link is maintained to preserve external references.\n\n## Original Description\nAn issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "GHSA-j8fq-86c5-5v2r",
"modified": "2026-02-03T17:37:28Z",
"published": "2021-10-27T18:53:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42343"
},
{
"type": "WEB",
"url": "https://github.com/dask/distributed/pull/5427"
},
{
"type": "WEB",
"url": "https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b"
},
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
},
{
"type": "WEB",
"url": "https://github.com/dask/dask/tags"
},
{
"type": "PACKAGE",
"url": "https://github.com/dask/distributed"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/dask/PYSEC-2021-387.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Remote code execution in dask",
"withdrawn": "2026-02-03T17:37:27Z"
}
GSD-2021-42343
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-42343",
"description": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "GSD-2021-42343",
"references": [
"https://www.suse.com/security/cve/CVE-2021-42343.html",
"https://security.archlinux.org/CVE-2021-42343"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-42343"
],
"details": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "GSD-2021-42343",
"modified": "2023-12-13T01:23:06.110570Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42343",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.dask.org/en/latest/changelog.html",
"refsource": "MISC",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"name": "https://github.com/dask/dask/tags",
"refsource": "MISC",
"url": "https://github.com/dask/dask/tags"
},
{
"name": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr",
"refsource": "CONFIRM",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2021.10.0",
"affected_versions": "All versions before 2021.10.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-78",
"CWE-937"
],
"date": "2021-11-18",
"description": "An issue was discovered in the Dask distributed package for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"fixed_versions": [
"2021.10.0"
],
"identifier": "CVE-2021-42343",
"identifiers": [
"GHSA-j8fq-86c5-5v2r",
"CVE-2021-42343"
],
"not_impacted": "All versions starting from 2021.10.0",
"package_slug": "pypi/dask",
"pubdate": "2021-10-27",
"solution": "Upgrade to version 2021.10.0 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-42343",
"https://docs.dask.org/en/latest/changelog.html",
"https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr",
"https://github.com/dask/dask/tags",
"https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
],
"uuid": "e17b3a6b-afda-4203-b1a1-588e2358f90d"
},
{
"affected_range": "\u003c2021.10.0",
"affected_versions": "All versions before 2021.10.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-668",
"CWE-78",
"CWE-937"
],
"date": "2022-03-21",
"description": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"fixed_versions": [
"2021.10.0"
],
"identifier": "CVE-2021-42343",
"identifiers": [
"GHSA-j8fq-86c5-5v2r",
"CVE-2021-42343"
],
"not_impacted": "All versions starting from 2021.10.0",
"package_slug": "pypi/distributed",
"pubdate": "2021-10-27",
"solution": "Upgrade to version 2021.10.0 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-42343",
"https://docs.dask.org/en/latest/changelog.html",
"https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr",
"https://github.com/dask/distributed/pull/5427",
"https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b",
"https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
],
"uuid": "72d2c209-58e7-4d2e-9477-893e3ac7a3ff"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:*",
"cpe_name": [],
"versionEndExcluding": "2021.10.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42343"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.dask.org/en/latest/changelog.html",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"name": "https://github.com/dask/dask/tags",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/dask/tags"
},
{
"name": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-11-28T23:31Z",
"publishedDate": "2021-10-26T11:15Z"
}
}
}
OPENSUSE-SU-2024:11766-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
python38-distributed-2022.1.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python38-distributed-2022.1.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the python38-distributed-2022.1.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11766
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python38-distributed-2022.1.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python38-distributed-2022.1.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11766",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11766-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-42343 page",
"url": "https://www.suse.com/security/cve/CVE-2021-42343/"
}
],
"title": "python38-distributed-2022.1.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11766-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python38-distributed-2022.1.0-1.1.aarch64",
"product": {
"name": "python38-distributed-2022.1.0-1.1.aarch64",
"product_id": "python38-distributed-2022.1.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python39-distributed-2022.1.0-1.1.aarch64",
"product": {
"name": "python39-distributed-2022.1.0-1.1.aarch64",
"product_id": "python39-distributed-2022.1.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python38-distributed-2022.1.0-1.1.ppc64le",
"product": {
"name": "python38-distributed-2022.1.0-1.1.ppc64le",
"product_id": "python38-distributed-2022.1.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-distributed-2022.1.0-1.1.ppc64le",
"product": {
"name": "python39-distributed-2022.1.0-1.1.ppc64le",
"product_id": "python39-distributed-2022.1.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python38-distributed-2022.1.0-1.1.s390x",
"product": {
"name": "python38-distributed-2022.1.0-1.1.s390x",
"product_id": "python38-distributed-2022.1.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python39-distributed-2022.1.0-1.1.s390x",
"product": {
"name": "python39-distributed-2022.1.0-1.1.s390x",
"product_id": "python39-distributed-2022.1.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python38-distributed-2022.1.0-1.1.x86_64",
"product": {
"name": "python38-distributed-2022.1.0-1.1.x86_64",
"product_id": "python38-distributed-2022.1.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python39-distributed-2022.1.0-1.1.x86_64",
"product": {
"name": "python39-distributed-2022.1.0-1.1.x86_64",
"product_id": "python39-distributed-2022.1.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-distributed-2022.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.aarch64"
},
"product_reference": "python38-distributed-2022.1.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-distributed-2022.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.ppc64le"
},
"product_reference": "python38-distributed-2022.1.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-distributed-2022.1.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.s390x"
},
"product_reference": "python38-distributed-2022.1.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-distributed-2022.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.x86_64"
},
"product_reference": "python38-distributed-2022.1.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-distributed-2022.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.aarch64"
},
"product_reference": "python39-distributed-2022.1.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-distributed-2022.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.ppc64le"
},
"product_reference": "python39-distributed-2022.1.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-distributed-2022.1.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.s390x"
},
"product_reference": "python39-distributed-2022.1.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-distributed-2022.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.x86_64"
},
"product_reference": "python39-distributed-2022.1.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-42343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-42343"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.x86_64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-42343",
"url": "https://www.suse.com/security/cve/CVE-2021-42343"
},
{
"category": "external",
"summary": "SUSE Bug 1192072 for CVE-2021-42343",
"url": "https://bugzilla.suse.com/1192072"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.x86_64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python38-distributed-2022.1.0-1.1.x86_64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.aarch64",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.s390x",
"openSUSE Tumbleweed:python39-distributed-2022.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-42343"
}
]
}
OPENSUSE-SU-2024:13920-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
python310-distributed-2024.4.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python310-distributed-2024.4.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the python310-distributed-2024.4.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13920
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.8 (Critical)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-distributed-2024.4.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-distributed-2024.4.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13920",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13920-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-42343 page",
"url": "https://www.suse.com/security/cve/CVE-2021-42343/"
}
],
"title": "python310-distributed-2024.4.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13920-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-distributed-2024.4.2-1.1.aarch64",
"product": {
"name": "python310-distributed-2024.4.2-1.1.aarch64",
"product_id": "python310-distributed-2024.4.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-distributed-2024.4.2-1.1.aarch64",
"product": {
"name": "python311-distributed-2024.4.2-1.1.aarch64",
"product_id": "python311-distributed-2024.4.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-distributed-2024.4.2-1.1.aarch64",
"product": {
"name": "python312-distributed-2024.4.2-1.1.aarch64",
"product_id": "python312-distributed-2024.4.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-distributed-2024.4.2-1.1.ppc64le",
"product": {
"name": "python310-distributed-2024.4.2-1.1.ppc64le",
"product_id": "python310-distributed-2024.4.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-distributed-2024.4.2-1.1.ppc64le",
"product": {
"name": "python311-distributed-2024.4.2-1.1.ppc64le",
"product_id": "python311-distributed-2024.4.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-distributed-2024.4.2-1.1.ppc64le",
"product": {
"name": "python312-distributed-2024.4.2-1.1.ppc64le",
"product_id": "python312-distributed-2024.4.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-distributed-2024.4.2-1.1.s390x",
"product": {
"name": "python310-distributed-2024.4.2-1.1.s390x",
"product_id": "python310-distributed-2024.4.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-distributed-2024.4.2-1.1.s390x",
"product": {
"name": "python311-distributed-2024.4.2-1.1.s390x",
"product_id": "python311-distributed-2024.4.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-distributed-2024.4.2-1.1.s390x",
"product": {
"name": "python312-distributed-2024.4.2-1.1.s390x",
"product_id": "python312-distributed-2024.4.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-distributed-2024.4.2-1.1.x86_64",
"product": {
"name": "python310-distributed-2024.4.2-1.1.x86_64",
"product_id": "python310-distributed-2024.4.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-distributed-2024.4.2-1.1.x86_64",
"product": {
"name": "python311-distributed-2024.4.2-1.1.x86_64",
"product_id": "python311-distributed-2024.4.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-distributed-2024.4.2-1.1.x86_64",
"product": {
"name": "python312-distributed-2024.4.2-1.1.x86_64",
"product_id": "python312-distributed-2024.4.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-distributed-2024.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.aarch64"
},
"product_reference": "python310-distributed-2024.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-distributed-2024.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.ppc64le"
},
"product_reference": "python310-distributed-2024.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-distributed-2024.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.s390x"
},
"product_reference": "python310-distributed-2024.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-distributed-2024.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.x86_64"
},
"product_reference": "python310-distributed-2024.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-distributed-2024.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.aarch64"
},
"product_reference": "python311-distributed-2024.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-distributed-2024.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.ppc64le"
},
"product_reference": "python311-distributed-2024.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-distributed-2024.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.s390x"
},
"product_reference": "python311-distributed-2024.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-distributed-2024.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.x86_64"
},
"product_reference": "python311-distributed-2024.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-distributed-2024.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.aarch64"
},
"product_reference": "python312-distributed-2024.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-distributed-2024.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.ppc64le"
},
"product_reference": "python312-distributed-2024.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-distributed-2024.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.s390x"
},
"product_reference": "python312-distributed-2024.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-distributed-2024.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.x86_64"
},
"product_reference": "python312-distributed-2024.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-42343",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-42343"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-42343",
"url": "https://www.suse.com/security/cve/CVE-2021-42343"
},
{
"category": "external",
"summary": "SUSE Bug 1192072 for CVE-2021-42343",
"url": "https://bugzilla.suse.com/1192072"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-distributed-2024.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-distributed-2024.4.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-42343"
}
]
}
PYSEC-2021-387
Vulnerability from pysec - Published: 2021-10-26 11:15 - Updated: 2021-11-11 13:06
VLAI
Details
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Impacted products
| Name | purl | dask | pkg:pypi/dask |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dask",
"purl": "pkg:pypi/dask"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.10.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.0",
"0.10.1",
"0.10.2",
"0.11.0",
"0.11.1",
"0.12.0",
"0.13.0",
"0.13.0rc1",
"0.14.0",
"0.14.1",
"0.14.2",
"0.14.3",
"0.15.0",
"0.15.1",
"0.15.2",
"0.15.3",
"0.15.4",
"0.16.0",
"0.16.1",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.17.5",
"0.18.0",
"0.18.1",
"0.18.2",
"0.19.0",
"0.19.1",
"0.19.2",
"0.19.3",
"0.19.4",
"0.2.0",
"0.2.1",
"0.2.2",
"0.2.3",
"0.2.4",
"0.2.5",
"0.2.6",
"0.20.0",
"0.20.1",
"0.20.2",
"0.3.0",
"0.4.0",
"0.5.0",
"0.6.0",
"0.6.1",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.8.0",
"0.8.1",
"0.8.2",
"0.9.0",
"1.0.0",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.2.0",
"1.2.1",
"1.2.2",
"2.0.0",
"2.1.0",
"2.10.0",
"2.10.1",
"2.11.0",
"2.12.0",
"2.13.0",
"2.14.0",
"2.15.0",
"2.16.0",
"2.17.0",
"2.17.1",
"2.17.2",
"2.18.0",
"2.18.1",
"2.19.0",
"2.2.0",
"2.20.0",
"2.21.0",
"2.22.0",
"2.23.0",
"2.24.0",
"2.25.0",
"2.26.0",
"2.27.0",
"2.28.0",
"2.29.0",
"2.3.0",
"2.30.0",
"2.4.0",
"2.5.0",
"2.5.2",
"2.6.0",
"2.7.0",
"2.8.0",
"2.8.1",
"2.9.0",
"2.9.1",
"2.9.2",
"2020.12.0",
"2021.1.0",
"2021.1.1",
"2021.2.0",
"2021.3.0",
"2021.3.1",
"2021.4.0",
"2021.4.1",
"2021.5.0",
"2021.5.1",
"2021.6.0",
"2021.6.1",
"2021.6.2",
"2021.7.0",
"2021.7.1",
"2021.7.2",
"2021.8.0",
"2021.8.1",
"2021.9.0",
"2021.9.1"
]
}
],
"aliases": [
"CVE-2021-42343",
"GHSA-j8fq-86c5-5v2r"
],
"details": "An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "PYSEC-2021-387",
"modified": "2021-11-11T13:06:47.756280Z",
"published": "2021-10-26T11:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"type": "WEB",
"url": "https://github.com/dask/dask/tags"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
}
]
}
PYSEC-2021-871
Vulnerability from pysec - Published: 2021-10-26 11:15 - Updated: 2022-07-14 05:11
VLAI
Details
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Impacted products
| Name | purl | distributed | pkg:pypi/distributed |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "distributed",
"purl": "pkg:pypi/distributed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.10.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0",
"1.0.1",
"1.0.2",
"1.1.0",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.11.3",
"1.12.0",
"1.12.1",
"1.12.2",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.14.0",
"1.14.1",
"1.14.3",
"1.15.0",
"1.15.0rc1",
"1.15.1",
"1.15.2",
"1.16.0",
"1.16.1",
"1.16.2",
"1.16.3",
"1.17.0",
"1.17.1",
"1.18.0",
"1.18.1",
"1.18.2",
"1.18.3",
"1.19.0",
"1.19.1",
"1.19.2",
"1.19.3",
"1.2.0",
"1.2.1",
"1.2.2",
"1.2.3",
"1.20.0",
"1.20.1",
"1.20.2",
"1.21.0",
"1.21.1",
"1.21.2",
"1.21.3",
"1.21.4",
"1.21.5",
"1.21.6",
"1.21.7",
"1.21.8",
"1.22.0",
"1.22.1",
"1.23.0",
"1.23.1",
"1.23.2",
"1.23.3",
"1.24.0",
"1.24.1",
"1.24.2",
"1.25.0",
"1.25.1",
"1.25.2",
"1.25.3",
"1.26.0",
"1.26.1",
"1.27.0",
"1.27.1",
"1.28.0",
"1.28.1",
"1.3.0",
"1.3.1",
"1.3.2",
"1.3.3",
"1.4.0",
"1.5.0",
"1.6.0",
"1.6.1",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.8.0",
"1.8.1",
"1.9.0",
"1.9.1",
"1.9.2",
"1.9.3",
"1.9.4",
"1.9.5",
"2.0.1",
"2.1.0",
"2.10.0",
"2.11.0",
"2.12.0",
"2.13.0",
"2.14.0",
"2.15.0",
"2.15.1",
"2.15.2",
"2.16.0",
"2.17.0",
"2.18.0",
"2.19.0",
"2.2.0",
"2.20.0",
"2.21.0",
"2.22.0",
"2.23.0",
"2.24.0",
"2.25.0",
"2.26.0",
"2.27.0",
"2.28.0",
"2.29.0",
"2.3.0",
"2.3.1",
"2.3.2",
"2.30.0",
"2.30.1",
"2.4.0",
"2.5.0",
"2.5.1",
"2.5.2",
"2.6.0",
"2.7.0",
"2.8.0",
"2.8.1",
"2.9.0",
"2.9.1",
"2.9.2",
"2.9.3",
"2020.12.0",
"2021.1.0",
"2021.1.1",
"2021.2.0",
"2021.3.0",
"2021.3.1",
"2021.4.0",
"2021.4.1",
"2021.5.0",
"2021.5.1",
"2021.6.0",
"2021.6.1",
"2021.6.2",
"2021.7.0",
"2021.7.1",
"2021.7.2",
"2021.8.0",
"2021.8.1",
"2021.9.0",
"2021.9.1"
]
}
],
"aliases": [
"CVE-2021-42343",
"GHSA-hwqr-f3v9-hwxr"
],
"details": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "PYSEC-2021-871",
"modified": "2022-07-14T05:11:51.739830Z",
"published": "2021-10-26T11:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"type": "WEB",
"url": "https://github.com/dask/dask/tags"
},
{
"type": "ADVISORY",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
}
]
}
PYSEC-2021-872
Vulnerability from pysec - Published: 2021-10-26 11:15 - Updated: 2023-05-25 05:07
VLAI
Details
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Impacted products
| Name | purl | distributed | pkg:pypi/distributed |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "distributed",
"purl": "pkg:pypi/distributed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.10.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0",
"1.0.1",
"1.0.2",
"1.1.0",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.11.3",
"1.12.0",
"1.12.1",
"1.12.2",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.14.0",
"1.14.1",
"1.14.3",
"1.15.0",
"1.15.0rc1",
"1.15.1",
"1.15.2",
"1.16.0",
"1.16.1",
"1.16.2",
"1.16.3",
"1.17.0",
"1.17.1",
"1.18.0",
"1.18.1",
"1.18.2",
"1.18.3",
"1.19.0",
"1.19.1",
"1.19.2",
"1.19.3",
"1.2.0",
"1.2.1",
"1.2.2",
"1.2.3",
"1.20.0",
"1.20.1",
"1.20.2",
"1.21.0",
"1.21.1",
"1.21.2",
"1.21.3",
"1.21.4",
"1.21.5",
"1.21.6",
"1.21.7",
"1.21.8",
"1.22.0",
"1.22.1",
"1.23.0",
"1.23.1",
"1.23.2",
"1.23.3",
"1.24.0",
"1.24.1",
"1.24.2",
"1.25.0",
"1.25.1",
"1.25.2",
"1.25.3",
"1.26.0",
"1.26.1",
"1.27.0",
"1.27.1",
"1.28.0",
"1.28.1",
"1.3.0",
"1.3.1",
"1.3.2",
"1.3.3",
"1.4.0",
"1.5.0",
"1.6.0",
"1.6.1",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.8.0",
"1.8.1",
"1.9.0",
"1.9.1",
"1.9.2",
"1.9.3",
"1.9.4",
"1.9.5",
"2.0.1",
"2.1.0",
"2.10.0",
"2.11.0",
"2.12.0",
"2.13.0",
"2.14.0",
"2.15.0",
"2.15.1",
"2.15.2",
"2.16.0",
"2.17.0",
"2.18.0",
"2.19.0",
"2.2.0",
"2.20.0",
"2.21.0",
"2.22.0",
"2.23.0",
"2.24.0",
"2.25.0",
"2.26.0",
"2.27.0",
"2.28.0",
"2.29.0",
"2.3.0",
"2.3.1",
"2.3.2",
"2.30.0",
"2.30.1",
"2.4.0",
"2.5.0",
"2.5.1",
"2.5.2",
"2.6.0",
"2.7.0",
"2.8.0",
"2.8.1",
"2.9.0",
"2.9.1",
"2.9.2",
"2.9.3",
"2020.12.0",
"2021.1.0",
"2021.1.1",
"2021.2.0",
"2021.3.0",
"2021.3.1",
"2021.4.0",
"2021.4.1",
"2021.5.0",
"2021.5.1",
"2021.6.0",
"2021.6.1",
"2021.6.2",
"2021.7.0",
"2021.7.1",
"2021.7.2",
"2021.8.0",
"2021.8.1",
"2021.9.0",
"2021.9.1"
]
}
],
"aliases": [
"CVE-2021-42343",
"GHSA-hwqr-f3v9-hwxr",
"GHSA-j8fq-86c5-5v2r"
],
"details": "An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
"id": "PYSEC-2021-872",
"modified": "2023-05-25T05:07:00Z",
"published": "2021-10-26T11:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
{
"type": "WEB",
"url": "https://github.com/dask/dask/tags"
},
{
"type": "ADVISORY",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…