FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py39-celery -- command injection vulnerability

Affected packages
py39-celery < 5.2.2

Details

VuXML ID 0a38a0d9-757f-4ac3-9561-b439e933dfa9
Discovery 2021-12-09
Entry 2023-04-09

Snyk reports:

This affects the package celery before 5.2.2.

It by default trusts the messages and metadata stored in backends (result stores).

When reading task metadata from the backend, the data is deserialized.

Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

References

CVE Name CVE-2021-23727
URL https://osv.dev/vulnerability/GHSA-q4xr-rc97-m4xx
URL https://osv.dev/vulnerability/PYSEC-2021-858