This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
References
Link | Resource |
---|---|
https://github.com/celery/celery/blob/master/Changelog.rst%23522 | Broken Link Release Notes Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ | |
https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953 | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 03:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
14 Jun 2022, 14:38
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:* | |
First Time |
Fedoraproject extra Packages For Enterprise Linux
|
01 Apr 2022, 15:29
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ - Mailing List, Third Party Advisory |
16 Jan 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Jan 2022, 17:00
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/celery/celery/blob/master/Changelog.rst%23522 - Broken Link, Release Notes, Third Party Advisory | |
References | (MISC) https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953 - Exploit, Third Party Advisory | |
First Time |
Fedoraproject fedora
Celeryproject Celeryproject celery Fedoraproject fedora Extra Packages For Enterprise Linux Fedoraproject |
|
CPE | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:* cpe:2.3:a:celeryproject:celery:*:*:*:*:*:python:*:* |
|
CVSS |
v2 : v3 : |
v2 : 6.0
v3 : 7.5 |
CWE | CWE-77 |
29 Dec 2021, 17:29
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-29 17:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-23727
Mitre link : CVE-2021-23727
CVE.ORG link : CVE-2021-23727
JSON object : View
Products Affected
fedoraproject
- extra_packages_for_enterprise_linux
- fedora
celeryproject
- celery
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')