Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNHhyLXJjOTctbTR4eM0f2w
OS Command Injection in celery
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Permalink: https://github.com/advisories/GHSA-q4xr-rc97-m4xxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNHhyLXJjOTctbTR4eM0f2w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-q4xr-rc97-m4xx, CVE-2021-23727
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23727
- https://github.com/celery/celery/blob/master/Changelog.rst%23522
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/
- https://github.com/celery/celery/commit/1f7ad7e6df1e02039b6ab9eec617d283598cad6b
- https://github.com/advisories/GHSA-q4xr-rc97-m4xx
Blast Radius: 34.5
Affected Packages
pypi:celery
Dependent packages: 395Dependent repositories: 40,119
Downloads: 10,218,581 last month
Affected Version Ranges: < 5.2.2
Fixed in: 5.2.2
All affected versions: 0.1.2, 0.1.4, 0.1.6, 0.1.7, 0.1.8, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.2.0, 0.3.0, 0.3.7, 0.3.20, 0.4.0, 0.4.1, 0.6.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1
All unaffected versions: 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0