CVE-2021-42343

EUVD-2021-0050
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
anacondadask
𝑥
< 2021.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dask.distributed
bookworm
2022.12.1+ds.1-3
fixed
bullseye
2021.01.0+ds.1-2.1+deb11u1
fixed
buster
ignored
sid
2024.5.2+ds.1-7
fixed
trixie
2024.5.2+ds.1-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dask.distributed
bionic
needed
focal
needed
hirsute
ignored
impish
ignored
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
References
https://docs.dask.org/en/latest/changelog.html
https://github.com/dask/dask/tags
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
https://docs.dask.org/en/latest/changelog.html
https://github.com/dask/dask/tags
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr