CVE-2021-42343 log

Source
Severity Medium
Remote Yes
Type Arbitrary code execution
Description
An issue was discovered in python-dask before version 2021.10.0. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Group Package Affected Fixed Severity Status Ticket
AVG-2496 python-dask 2021.9.1-1 2021.10.0-1 Medium Fixed
References
https://github.com/dask/distributed/pull/5427
https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b