GHSA-hwqr-f3v9-hwxr: 
Python vulnerability analysis and mitigation

A security vulnerability (CVE-2021-42343) was discovered in the Dask distributed package affecting versions before 2021.10.0. The vulnerability was disclosed on October 26, 2021, and affects single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client. This vulnerability impacts Python applications using the affected versions of the Dask distributed package (GitHub Advisory).

The vulnerability stems from a configuration issue where Dask workers would mistakenly listen on external interfaces with randomly selected high ports instead of being restricted to localhost. This misconfiguration occurs specifically when using dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster). The issue was assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When running on a machine that has the affected ports exposed, this vulnerability could be exploited by a sophisticated attacker to achieve remote code execution. The impact is particularly severe as it could allow unauthorized access to the system and potential execution of malicious code (GitHub Advisory).

The vulnerability was fixed in version 2021.10.0 of the Dask distributed package through PR #5427, which ensures the host parameter is properly forwarded through LocalCluster to all created objects. Users should upgrade to version 2021.10.0 or later to address this vulnerability. After the fix, the local cluster now clearly binds to 127.0.0.1 by default (GitHub PR).

The community response was positive to the fix, with users confirming that the security vulnerability was successfully addressed. One user specifically verified that after upgrading, the local cluster properly binds to 127.0.0.1, demonstrating the effectiveness of the security fix (GitHub PR).