CVE-2021-23727

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23727

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23727.json

Aliases

GHSA-q4xr-rc97-m4xx
PYSEC-2021-858
SNYK-PYTHON-CELERY-2314953

Published

2021-12-29T17:15:07Z

Modified

2023-11-08T04:05:12.931743Z

Details

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

References

https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
https://github.com/celery/celery/blob/master/Changelog.rst%23522
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/

Affected packages

Git / github.com/celery/celery

Affected ranges

Type: GIT
Repo: https://github.com/celery/celery
Events: Introduced

0The exact introduced commit is unknown

Fixed

b21c13d234dd6d6c197436374ab1bb5db4be62c7