{"id":"PYSEC-2021-387","details":"An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.","aliases":["CVE-2021-42343","GHSA-hwqr-f3v9-hwxr","GHSA-j8fq-86c5-5v2r","PYSEC-2021-871","PYSEC-2021-872"],"modified":"2023-11-01T04:56:37.916990Z","published":"2021-10-26T11:15:00Z","references":[{"type":"WEB","url":"https://docs.dask.org/en/latest/changelog.html"},{"type":"WEB","url":"https://github.com/dask/dask/tags"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-j8fq-86c5-5v2r"}],"affected":[{"package":{"name":"dask","ecosystem":"PyPI","purl":"pkg:pypi/dask"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2021.10.0"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.11.0","0.11.1","0.12.0","0.13.0","0.13.0rc1","0.14.0","0.14.1","0.14.2","0.14.3","0.15.0","0.15.1","0.15.2","0.15.3","0.15.4","0.16.0","0.16.1","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.17.5","0.18.0","0.18.1","0.18.2","0.19.0","0.19.1","0.19.2","0.19.3","0.19.4","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.20.0","0.20.1","0.20.2","0.3.0","0.4.0","0.5.0","0.6.0","0.6.1","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.8.0","0.8.1","0.8.2","0.9.0","1.0.0","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.2.0","1.2.1","1.2.2","2.0.0","2.1.0","2.10.0","2.10.1","2.11.0","2.12.0","2.13.0","2.14.0","2.15.0","2.16.0","2.17.0","2.17.1","2.17.2","2.18.0","2.18.1","2.19.0","2.2.0","2.20.0","2.21.0","2.22.0","2.23.0","2.24.0","2.25.0","2.26.0","2.27.0","2.28.0","2.29.0","2.3.0","2.30.0","2.4.0","2.5.0","2.5.2","2.6.0","2.7.0","2.8.0","2.8.1","2.9.0","2.9.1","2.9.2","2020.12.0","2021.1.0","2021.1.1","2021.2.0","2021.3.0","2021.3.1","2021.4.0","2021.4.1","2021.5.0","2021.5.1","2021.6.0","2021.6.1","2021.6.2","2021.7.0","2021.7.1","2021.7.2","2021.8.0","2021.8.1","2021.9.0","2021.9.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/dask/PYSEC-2021-387.yaml"}}],"schema_version":"1.7.3"}