CVE-2024-10096
Remote Code Execution vulnerability in dask (PyPI)

Remote Code Execution No known exploit

What is CVE-2024-10096 About?

This vulnerability, described in a withdrawn advisory, relates to insecure deserialization in Dask Distributed Server versions up to 2024.8.2. It allows attackers to achieve remote command execution by sending malicious serialized objects. Exploitation is relatively straightforward for an attacker who can interact with the Dask server.

Affected Software

dask <=2024.8.2

Technical Details

Prior to its withdrawal, this advisory highlighted a significant vulnerability in the Dask Distributed Server where it used pickle for serialization. The pickle module in Python is known to be insecure against maliciously constructed data. An attacker could craft a malicious Python object, serialize it using pickle, and then send this serialized payload to the Dask server. When the Dask server attempts to deserialize this object, the malicious code embedded within the object would be executed, leading to remote command execution on the server. This could effectively grant full control over the Dask server to the attacker.

What is the Impact of CVE-2024-10096?

Successful exploitation may allow attackers to execute arbitrary code, gain full control over the Dask server, compromise data, and potentially pivot to other systems within the network.

What is the Exploitability of CVE-2024-10096?

Exploitation complexity is moderate, requiring the attacker to understand Python's pickle serialization and be able to craft malicious objects. There are no specific authentication requirements mentioned, implying that an attacker with network access to the Dask server's communication channels can exploit this. No special privileges are needed on the server side as the vulnerability lies in the deserialization process itself. This is a remote vulnerability, allowing exploitation over the network. The primary risk factor is the Dask server's exposure and its use of insecure deserialization, particularly if client connections are not properly authenticated or authorized.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-10096?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-10096?

Similar Vulnerabilities: CVE-2020-8051 , CVE-2020-13788 , CVE-2020-14364 , CVE-2021-23393 , CVE-2021-21340

All Rights reserved 2025
Privacy Policy