CyberSec.Space Logo
Back to CVE Browser

CVE-2021-42343

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1440%
EPSS Percentile19.50th
PublishedOct 26, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.

Affected Platforms (CPE)

πŸ“¦
Anaconda

Dask

< 2021.10.0

References & Advisories

πŸ”— https://docs.dask.org/en/latest/changelog.html
πŸ”— https://github.com/dask/dask/tags
πŸ”— https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
πŸ”— https://docs.dask.org/en/latest/changelog.html
πŸ”— https://github.com/dask/dask/tags
πŸ”— https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr

Related Vulnerabilities

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.

CVE-2021-2328110.0

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM soft...

CVE-2021-4422810.0

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration...

CVE-2021-224410.0

Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provide...