CVE-2021-23727

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Configurations

Configuration 1 (hide)

cpe:2.3:a:celeryproject:celery:*:*:*:*:*:python:*:*

Configuration 2 (hide)

OR cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

History

07 Nov 2023, 03:30

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/', 'name': 'FEDORA-2022-1dae017601', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ -

14 Jun 2022, 14:38

Type Values Removed Values Added
CPE cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:* cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*
First Time Fedoraproject extra Packages For Enterprise Linux

01 Apr 2022, 15:29

Type Values Removed Values Added
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ - Mailing List, Third Party Advisory

16 Jan 2022, 04:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/ -

10 Jan 2022, 17:00

Type Values Removed Values Added
References (MISC) https://github.com/celery/celery/blob/master/Changelog.rst%23522 - (MISC) https://github.com/celery/celery/blob/master/Changelog.rst%23522 - Broken Link, Release Notes, Third Party Advisory
References (MISC) https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953 - (MISC) https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953 - Exploit, Third Party Advisory
First Time Fedoraproject fedora
Celeryproject
Celeryproject celery
Fedoraproject fedora Extra Packages For Enterprise Linux
Fedoraproject
CPE cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:a:celeryproject:celery:*:*:*:*:*:python:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 6.0
v3 : 7.5
CWE CWE-77

29 Dec 2021, 17:29

Type Values Removed Values Added
New CVE

Information

Published : 2021-12-29 17:15

Updated : 2023-12-10 14:09


NVD link : CVE-2021-23727

Mitre link : CVE-2021-23727

CVE.ORG link : CVE-2021-23727


JSON object : View

Products Affected

fedoraproject

  • extra_packages_for_enterprise_linux
  • fedora

celeryproject

  • celery
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')