9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hwqr-f3v9-hwxr

GHSA-hwqr-f3v9-hwxr: Workers for local Dask clusters mistakenly listened on public interfaces

Versions of distributed earlier than 2021.10.0 had a potential security vulnerability relating to single-machine Dask clusters.

Clusters started with dask.distributed.LocalCluster or dask.distributed.Client() (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than LocalCluster (e.g. dask_kubernetes.KubeCluster) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version 2021.10.0 (PR #5427).

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-hwqr-f3v9-hwxr

GHSA-hwqr-f3v9-hwxr:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
distributed	pip	>= 0, < 2021.10.0	2021.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from LocalCluster not propagating the 'host' parameter to worker/nanny instances. The commit diff shows 'host' was added to worker_kwargs in LocalCluster's init method, and the accompanying test validates that workers/scheduler bind to 127.0.0.1. The absence of this parameter in worker configuration before the fix would result in workers listening on all interfaces (0.0.0.0).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-hwqr-f3v9-hwxr: Workers for local Dask clusters mistakenly listened on public interfaces

GHSA-hwqr-f3v9-hwxr:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

9.8

9.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

GHSA-hwqr-f3v9-hwxr: Workers for local Dask clusters mistakenly listened on public interfaces

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI