PT-2020-15025 · Django+1 · Django-Celery-Results+1
Published
2020-08-11
·
Updated
2021-06-04
·
CVE-2020-17495
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
django-celery-results versions prior to 2.4.0
django-celery-results version 1.2.1
Description
The issue concerns the storage of task results in the database, which may include sensitive cleartext information passed into tasks as variables. This sensitive information does not belong unencrypted in the database.
Recommendations
For django-celery-results versions prior to 2.4.0, consider disabling the storage of task results in the database or ensure that any sensitive variables are properly encrypted before storage.
For django-celery-results version 1.2.1, update to a version where the default behavior no longer stores sensitive information unencrypted, such as version 2.4.0 or later, and be cautious with the
result extended flag to avoid storing sensitive variables without proper scrubbing.Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Django-Celery-Results