Skip to content
This repository has been archived by the owner on May 22, 2024. It is now read-only.

[Snyk: High]: Celery Stored Command Injection(due 02/24/2022) #655

Closed
2 tasks done
Tracked by #137
pkfec opened this issue Jan 12, 2022 · 0 comments · Fixed by #665
Closed
2 tasks done
Tracked by #137

[Snyk: High]: Celery Stored Command Injection(due 02/24/2022) #655

pkfec opened this issue Jan 12, 2022 · 0 comments · Fixed by #665
Assignees
@pkfec
Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Milestone
Sprint 17.2

Comments

@pkfec
Copy link
Contributor

pkfec commented Jan 12, 2022
edited

Overview

Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Detailed path:

Introduced through: project@0.0.0 › celery@4.1.0

Completion criteria:

  • Upgrade celery to version 5.2.2
  • parser functionality works
@pkfec pkfec added Security: high Remediate within 30 days Security: general General security concern or issue labels Jan 12, 2022
@pkfec pkfec changed the title [Snyk: High]: (due 02/24/2022) [Snyk: High]: Celery Stored Command Injection(due 02/24/2022) Jan 12, 2022
@pkfec pkfec added this to the Sprint 17.2 milestone Jan 12, 2022
@pkfec pkfec mentioned this issue Jan 12, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@patphongs patphongs mentioned this issue Jan 27, 2022
Closed
1 task
@pkfec pkfec mentioned this issue Feb 2, 2022
Merged
@cnlucas cnlucas mentioned this issue Feb 2, 2022
Closed
@hcaofec hcaofec mentioned this issue Feb 9, 2022
Closed
1 task
@patphongs patphongs mentioned this issue Feb 16, 2022
Closed
@pkfec pkfec mentioned this issue Feb 23, 2022
Closed
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pkfec pkfec

Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 17.2
Development

Successfully merging a pull request may close this issue.

upgrade celery and related packages fecgov/fec-eregs
1 participant
@pkfec