CVE-2022-21797
Arbitrary Code Execution vulnerability in joblib (PyPI)
What is CVE-2022-21797 About?
The `joblib` package before 1.2.0 is vulnerable to arbitrary code execution via the `pre_dispatch` flag in the `Parallel()` class due to use of `eval()`. This critical flaw allows attackers to execute arbitrary code on the affected system, and exploitation is relatively easy given a specific code pattern.
Affected Software
- joblib
- <b90f10efeb670a2cc877fb88ebb3f2019189e059
- <1.2.0
Technical Details
The vulnerability in the joblib package (versions prior to 1.2.0) stems from the insecure use of the eval() statement in conjunction with the pre_dispatch flag within the Parallel() class. The pre_dispatch parameter, intended for controlling the number of jobs dispatched ahead of time, is directly or indirectly passed to an eval() call. An attacker can supply a malicious string to this pre_dispatch parameter, which eval() will then execute as Python code. This direct execution effectively bypasses security checks and allows for arbitrary code execution with the privileges of the running application. The attack vector involves crafting a joblib Parallel object with a malicious pre_dispatch argument.
What is the Impact of CVE-2022-21797?
Successful exploitation may allow attackers to execute arbitrary code on the system, leading to full system compromise, data theft, or complete denial of service.
What is the Exploitability of CVE-2022-21797?
Exploitation requires crafting a Python script that uses joblib.Parallel() with a specially crafted pre_dispatch argument containing malicious code. The complexity is low, as it primarily involves forming a string that Python's eval() function will parse and execute. Authentication requirements depend on the context where joblib is used; if user-supplied input directly influences the pre_dispatch parameter in a web application or service, it could be a remote unauthenticated attack. If it's used internally, it might require some form of initial access or social engineering to deliver the malicious code. Privilege requirements are those of the running Python process. The primary risk factor is any scenario where untrusted input can influence the pre_dispatch parameter within joblib.Parallel(). No special conditions beyond the vulnerable version and controlled input are strictly necessary for exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21797?
About the Fix from Resolved Security
This patch fixes CVE-2022-21797 by replacing the use of Python's built-in eval() for processing pre_dispatch expressions with a safe arithmetic parser (eval_expr) that only allows basic math operations, disallowing any code execution or module access. This prevents attackers from exploiting the vulnerability to execute arbitrary code via maliciously-crafted expressions.
Available Upgrade Options
- joblib
- <1.2.0 → Upgrade to 1.2.0
- joblib
- <b90f10efeb670a2cc877fb88ebb3f2019189e059 → Upgrade to b90f10efeb670a2cc877fb88ebb3f2019189e059
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://nvd.nist.gov/vuln/detail/CVE-2022-21797
- https://github.com/joblib/joblib/issues/1128
- https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://security.gentoo.org/glsa/202401-01
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF
- https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html
What are Similar Vulnerabilities to CVE-2022-21797?
Similar Vulnerabilities: CVE-2020-9401 , CVE-2020-15822 , CVE-2020-13693 , CVE-2020-28498 , CVE-2020-25666
