Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ2eDgtdjUyNC04NTc5
django-celery-results Stores Sensitive Information In Cleartext
django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
In version 2.4.0 this is no longer the default behaviour but can be re-enabled with the result_extended flag in which case care should be taken to ensure any sensitive variables are scrubbed - see here for an example.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ2eDgtdjUyNC04NTc5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-fvx8-v524-8579, CVE-2020-17495
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-17495
- https://github.com/celery/django-celery-results/issues/142
- https://github.com/celery/django-celery-results/issues/154
- https://github.com/celery/django-celery-results/pull/316
- https://github.com/celery/django-celery-results/pull/316/commits/f4af2810dd2f70718a757f733b43225527f6aa3d
- https://github.com/advisories/GHSA-fvx8-v524-8579
Blast Radius: 26.3
Affected Packages
pypi:django-celery-results
Dependent packages: 40Dependent repositories: 3,222
Downloads: 1,270,820 last month
Affected Version Ranges: < 2.4.0
Fixed in: 2.4.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.3.1
All unaffected versions: 2.4.0, 2.5.0, 2.5.1