The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-21797
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://github.com/advisories/GHSA-6hrg-qmvc-2xh8