CVE-2022-30034
Summary
| CVE | CVE-2022-30034 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-02 14:15:51 UTC |
| Updated | 2026-07-09 01:17:29 UTC |
| Description | Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. |
Risk And Classification
Primary CVSS: v3.1 8.6 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS: 0.009970000 probability, percentile 0.586030000 (date 2026-07-12)
Problem Types: CWE-287 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| 2.0 | [email protected] | Primary | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Flower Project | Flower | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034) · Issue #1217 · mher/flower · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Exploit, Issue Tracking |
| Multiple Vulnerabilities in Flower and Downstream Attacks on Airflow | Tanner Prynn | af854a3a-2127-422b-91ae-364da2661108 | tprynn.github.io | Exploit, Third Party Advisory |
| MISC:http://githubcommherflower.com | MITRE | githubcommherflower.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.