CVE-2021-42343

Advisory

Distributed 2021.10.0 includes a fix for CVE-2021-42343: Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhst. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-hwqr-f3v9-hwxr
• https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
• https://docs.dask.org/en/latest/changelog.html
• https://github.com/advisories/GHSA-j8fq-86c5-5v2r
• https://github.com/dask/dask/tags
• https://github.com/dask/distributed
• https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-871.yaml
• https://github.com/pypa/advisory-database/tree/main/vulns/distributed/PYSEC-2021-872.yaml
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42343