-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk: Medium] Celery - Stored Command Injection (03/29/2022) #5017
Labels
Milestone
Comments
pkfec
added
Security: moderate
Remediate within 60 days
Security: general
General security concern or issue
labels
Jan 4, 2022
1 task
1 task
1 task
This was referenced Mar 9, 2022
1 task
This was referenced Mar 30, 2022
This was referenced Apr 20, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Overview:
Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
Possibly related issue: #3607
Detailed paths:
Introduced through: project@0.0.0 › celery@4.3.0
Fix: Upgrade celery to version 5.2.2
Introduced through: project@0.0.0 › celery-once@3.0.0 › celery@4.3.0
Fix: Pin celery to version 5.2.2
Remediation:
Upgrade celery to version 5.2.2 or higher.
Completion criteria:
The text was updated successfully, but these errors were encountered: