CVE-2021-23727 – celery

Package

Manager: pip
Name: celery
Vulnerable Version: >=0 <5.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02018 pctl0.8304

Details

OS Command Injection in celery This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Metadata

Created: 2022-01-06T22:22:02Z
Modified: 2024-09-06T16:27:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-q4xr-rc97-m4xx/GHSA-q4xr-rc97-m4xx.json
CWE IDs: ["CWE-77", "CWE-78"]
Alternative ID: GHSA-q4xr-rc97-m4xx
Finding: F404
Auto approve: 1