VDB
CVE-2021-42343
CVE-2021-42343
PUBLISHED
CVSS 9.300000190734863 CRITICAL
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
EPSS 4.68% · 89.5th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
4.68%
89.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| anaconda | dask | 0, 0 |
| n/a | n/a | n/a, n/a |
| PyPI | distributed | 0, 0 |
Timeline
- Oct 26, 2021 CVE Published
- Oct 26, 2021 PoC Published
- Oct 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 13, 2022 EPSS Score
- Aug 4, 2022 EPSS Score
- Sep 29, 2022 EPSS Score
- Jan 19, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 11, 2023 EPSS Score
References
- https://docs.dask.org/en/latest/changelog.html url
- https://github.com/dask/dask/tags url
- https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr url
- https://nvd.nist.gov/vuln/detail/CVE-2021-42343 advisory
- https://github.com/dask/distributed/pull/5427 url
- https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b url
- https://github.com/dask/distributed package
- https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-871.yaml url
- https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-872.yaml url