CVE-2021-23727

CVSS v4.0

7.7

High

Vector

AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions celery versions prior to 5.2.2

Description The issue affects the package by default trusting messages and metadata stored in backends, which can lead to a stored command injection vulnerability when an attacker gains access to or manipulates the metadata within a celery backend. This could potentially allow the attacker to gain further access to the system.

Recommendations For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the backend to minimize the risk of exploitation. Avoid using the deserialization of task metadata from the backend until the issue is resolved.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

ALT-PU-2022-1632

ALT-PU-2024-1361

ALT-PU-2024-15269

CVE-2021-23727

GHSA-Q4XR-RC97-M4XX

MGASA-2022-0029

PYSEC-2021-858

SNYK-PYTHON-CELERY-2314953

Affected Products

Alt Linux

Debian

Celery

CVE-2021-23727

Weakness Enumeration

Related Identifiers

Affected Products

References · 24