Dask
Monthly
Resource exhaustion in Dask up to version 3.0 allows authenticated remote attackers to trigger excessive resource consumption via the `nunique_approx` function in the HyperLogLog (HLL) handler component. The root cause is a HashDoS vulnerability - adversarially crafted string or object-type input values can be engineered to collide within the 32-bit hash space used for approximate distinct counting and shuffle partitioning, causing partition hotspotting and disproportionate CPU/memory load on worker nodes. No public exploit code exists at time of analysis, and the CVSS score of 3.1 (Low) with AC:H and A:L confirms limited real-world availability impact absent a targeted, high-complexity effort.
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Resource exhaustion in Dask up to version 3.0 allows authenticated remote attackers to trigger excessive resource consumption via the `nunique_approx` function in the HyperLogLog (HLL) handler component. The root cause is a HashDoS vulnerability - adversarially crafted string or object-type input values can be engineered to collide within the 32-bit hash space used for approximate distinct counting and shuffle partitioning, causing partition hotspotting and disproportionate CPU/memory load on worker nodes. No public exploit code exists at time of analysis, and the CVSS score of 3.1 (Low) with AC:H and A:L confirms limited real-world availability impact absent a targeted, high-complexity effort.
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.