CVE-2020-17495 – django-celery-results

Package

Manager: pip
Name: django-celery-results
Vulnerable Version: >=0 <2.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00148 pctl0.35848

Details

django-celery-results Stores Sensitive Information In Cleartext django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. In version 2.4.0 this is no longer the default behaviour but can be re-enabled with the `result_extended` flag in which case care should be taken to ensure any sensitive variables are scrubbed - see [here](https://github.com/celery/django-celery-results/issues/154#issuecomment-734706270) for an example.

Metadata

Created: 2021-06-04T21:46:52Z
Modified: 2024-09-13T20:13:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-fvx8-v524-8579
Finding: F020
Auto approve: 1