CVE-2021-42343

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
anacondadask
𝑥
< 2021.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dask.distributed
bullseye
2021.01.0+ds.1-2.1+deb11u1
fixed
buster
ignored
bookworm
2022.12.1+ds.1-3
fixed
sid
2024.5.2+ds.1-7
fixed
trixie
2024.5.2+ds.1-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dask.distributed
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
ignored
hirsute
ignored
focal
needed
bionic
needed
xenial
ignored
trusty
ignored
References
https://docs.dask.org/en/latest/changelog.html
https://github.com/dask/dask/tags
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
https://docs.dask.org/en/latest/changelog.html
https://github.com/dask/dask/tags
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr