CVE-2021-42343

Name of the Vulnerable Software and Affected Versions Dask versions prior to 2021.10.0

Description An issue was discovered in Dask where single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client would mistakenly configure their respective Dask workers to listen on external interfaces rather than only on localhost. A Dask cluster created using this method could be used by a sophisticated attacker to achieve remote code execution if the machine has an applicable port exposed.

Recommendations For versions prior to 2021.10.0, update to version 2021.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Dask workers to minimize the risk of exploitation. Avoid using dask.distributed.LocalCluster or dask.distributed.Client on machines with exposed ports until the issue is resolved.