Jcrist

**Name of the Vulnerable Software and Affected Versions** Dask versions prior to 2021.10.0 **Description** An issue was discovered in Dask where single machine Dask clusters started with `dask.distributed.LocalCluster` or `dask.distributed.Client` would mistakenly configure their respective Dask workers to listen on external interfaces rather than only on localhost. A Dask cluster created using this method could be used by a sophisticated attacker to achieve remote code execution if the machine has an applicable port exposed. **Recommendations** For versions prior to 2021.10.0, update to version 2021.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Dask workers to minimize the risk of exploitation. Avoid using `dask.distributed.LocalCluster` or `dask.distributed.Client` on machines with exposed ports until the issue is resolved.