Miggo Logo

CVE-2022-21797: joblib vulnerable to arbitrary code execution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.29309%
Published
9/27/2022
Updated
9/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
joblibpip< 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe use of eval() in processing the pre_dispatch parameter in Parallel class initialization. The commit diff shows the vulnerable line 'pre_dispatch = eval(pre_dispatch)' was replaced with a restricted eval and later an AST-based parser. The CVE description explicitly cites improper eval usage in pre_dispatch handling as the root cause. The function responsible for processing this parameter resides in Parallel's initialization logic in parallel.py.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** jo*li* *rom * *n* ***or* *.*.* is vuln*r**l* to *r*itr*ry *o** *x**ution vi* t** `pr*_*isp*t**` *l** in `P*r*ll*l()` *l*ss *u* to t** `*v*l()` st*t*m*nt.

Reasoning

T** vuln*r**ility st*ms *rom uns*** us* o* *v*l() in pro**ssin* t** pr*_*isp*t** p*r*m*t*r in P*r*ll*l *l*ss initi*liz*tion. T** *ommit *i** s*ows t** vuln*r**l* lin* 'pr*_*isp*t** = *v*l(pr*_*isp*t**)' w*s r*pl**** wit* * r*stri*t** *v*l *n* l*t*r *