CVE-2011-4356 – celery

Package

Manager: pip
Name: celery
Vulnerable Version: >=2.1.0 <2.2.8 || >=2.3.0 <2.3.4 || >=2.4.0 <2.4.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: 0.00047 pctl0.13946

Details

Celery local privilege escalation vulnerability Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

Metadata

Created: 2022-05-17T05:36:00Z
Modified: 2024-09-06T16:36:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rpc6-h455-3rx5/GHSA-rpc6-h455-3rx5.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-rpc6-h455-3rx5
Finding: F159
Auto approve: 1