Vulnerability Description
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Celeryproject | Celery | < 5.2.2 |
| Fedoraproject | Extra Packages For Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 35 |
Related Weaknesses (CWE)
References
- https://github.com/celery/celery/blob/master/Changelog.rst%23522Broken LinkRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953ExploitThird Party Advisory
- https://github.com/celery/celery/blob/master/Changelog.rst%23522Broken LinkRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953ExploitThird Party Advisory
FAQ
What is CVE-2021-23727?
CVE-2021-23727 is a vulnerability with a CVSS score of 7.5 (HIGH). This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. ...
How severe is CVE-2021-23727?
CVE-2021-23727 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23727?
Check the references section above for vendor advisories and patch information. Affected products include: Celeryproject Celery, Fedoraproject Extra Packages For Enterprise Linux, Fedoraproject Fedora.