CVE-2021-23727
- Source
- https://cve.org/CVERecord?id=CVE-2021-23727
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23727.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-23727
- Aliases
-
- GHSA-q4xr-rc97-m4xx
- PYSEC-2021-858
- SNYK-PYTHON-CELERY-2314953
- Downstream
- Related
- Published
- 2021-12-29T17:15:07.413Z
- Modified
- 2026-04-16T04:34:30.210545330Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
- References
Affected packages
Git / github.com/celery/celery
Affected versions
4.*
4.4.0
4.4.0rc1
4.4.0rc2
4.4.0rc3
4.4.0rc4
4.4.0rc5
4.4.1
4.4.2
4.4.3
Other
semver
v0.*
v0.1.10
v0.1.11
v0.1.12
v0.1.13
v0.1.15
v0.1.7
v0.1.8
v0.2.0
v0.2.0-pre1
v0.2.0-pre2
v0.2.0-pre3
v0.2.3
v0.3.0
v0.3.1
v0.3.2
v0.7.1
v0.7.2
v0.8.0
v0.8.0-pre1
v0.9.7
v1.*
v1.0.0
v1.0.0-pre3
v1.0.0-pre4
v1.0.1
v1.0.1-pre2
v1.0.2
v1.1.1
v1.1.2
v1.1.3
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.0a6
v2.1.0rc1
v2.1.0rc2
v2.1.0rc3
v2.1.0rc4
v2.3.0
v2.3.0rc1
v2.3.0rc2
v2.3.1
v2.5.0
v2.5.0rc1
v2.5.1
v3.*
v3.1.0
v3.1.1
v3.1.2
v3.1.4
v3.1.5
v3.1.7
v3.1.8
v4.*
v4.0.0
v4.0.0rc3
v4.0.0rc4
v4.0.0rc5
v4.0.0rc6
v4.0.1
v4.0.2
v4.2.0
v4.2.0rc1
v4.2.0rc2
v4.2.0rc3
v4.2.0rc4
v4.3.0
v4.3.0rc1
v4.3.0rc2
v4.3.0rc3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v5.*
v5.0.0
v5.0.0b1
v5.0.0rc1
v5.0.0rc2
v5.0.0rc3
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1.0
v5.1.0b1
v5.1.0rc1
v5.1.1
v5.1.2
v5.2.0
v5.2.0b1
v5.2.0b2
v5.2.0b3
v5.2.0rc1
v5.2.0rc2
v5.2.1