{"id":"CVE-2022-21797","details":"The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.","aliases":["GHSA-6hrg-qmvc-2xh8","PYSEC-2022-288"],"modified":"2026-04-02T07:46:14.287884Z","published":"2022-09-26T05:15:10.427Z","related":["MGASA-2022-0375","openSUSE-SU-2022:10214-1","openSUSE-SU-2024:12401-1","openSUSE-SU-2025:14914-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MJ5XTJS6OKJRRVXWFN5J67K3BYPEOBDF/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-01"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00020.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00027.html"},{"type":"REPORT","url":"https://github.com/joblib/joblib/issues/1128"},{"type":"FIX","url":"https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059"},{"type":"FIX","url":"https://github.com/joblib/joblib/pull/1321"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/joblib/joblib","events":[{"introduced":"0"},{"fixed":"f08737d9f23d3cdb40680f2e43d5e447bffe6271"},{"fixed":"b90f10efeb670a2cc877fb88ebb3f2019189e059"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.1"}]}}],"versions":["0.10.0","0.10.2","0.10.3","0.11","0.12","0.12.1","0.12.2","0.12.3","0.12.4","0.12.5","0.13.0","0.13.1","0.13.2","0.14.0","0.14.1","0.15.0","0.15.1","0.16.0","0.17.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.7","0.6.0","0.6.0.b","0.6.0.b2","0.6.0.b3","0.6.0a","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.7.0","0.7.0a","0.7.0b","0.7.0c","0.7.0d","0.7.1","0.8.0","0.8.0a","0.8.0a2","0.8.0a3","0.8.1","0.8.2","0.8.3","0.8.3-r1","0.8.4","0.9.0","0.9.0b2","0.9.0b3","0.9.0b4","0.9.1","0.9.2","0.9.3","0.9.4","1.0.0","1.0.1","1.1.0","debian/0.4.3-1","debian/0.4.5-1","debian/0.4.6-1","debian/0.4.6-2","debian/0.5.1-1","debian/0.5.4-1","debian/0.6.0_b2-1","debian/0.6.0_b3-1","debian/0.6.1-1","debian/0.6.4-1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21797.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}