CVE-2021-42343: Exposure of Resource to Wrong Sphere

October 27, 2021 (updated March 21, 2022)

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.

References

docs.dask.org/en/latest/changelog.html
github.com/advisories/GHSA-j8fq-86c5-5v2r
github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b
github.com/dask/distributed/pull/5427
github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
nvd.nist.gov/vuln/detail/CVE-2021-42343

Code Behaviors & Features

Detect and mitigate CVE-2021-42343 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →