CVE-2021-23727
Summary
| CVE | CVE-2021-23727 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-29 17:15:00 UTC |
| Updated | 2023-11-07 03:30:00 UTC |
| Description | This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. |
Risk And Classification
Problem Types: CWE-77
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Celeryproject | Celery | All | All | All | All |
| Application | Fedoraproject | Extra Packages For Enterprise Linux | 7.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Fedoraproject | Fedora Extra Packages For Enterprise Linux | 7.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 35 Update: python-celery-5.2.3-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| github.com/celery/celery/blob/master/Changelog.rst%23522 | MISC | github.com | |
| [SECURITY] Fedora 35 Update: python-celery-5.2.3-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Stored Command Injection in celery | CVE-2021-23727 | Snyk | MISC | snyk.io | |
| celery/Changelog.rst at master · celery/celery · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Calum Hutton from Snyk Research Team