Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Medium] Celery - Stored Command Injection (03/29/2022) #5017

Closed
2 tasks
pkfec opened this issue Jan 4, 2022 · 0 comments · Fixed by #5088
Closed
2 tasks

[Snyk: Medium] Celery - Stored Command Injection (03/29/2022) #5017

pkfec opened this issue Jan 4, 2022 · 0 comments · Fixed by #5088
Assignees
@pkfec
Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Milestone
Sprint 18.1

Comments

@pkfec
Copy link
Contributor

pkfec commented Jan 4, 2022
edited by johnnyporkchops

Overview:

Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Possibly related issue: #3607

Detailed paths:

Introduced through: project@0.0.0 › celery@4.3.0
Fix: Upgrade celery to version 5.2.2

Introduced through: project@0.0.0 › celery-once@3.0.0 › celery@4.3.0
Fix: Pin celery to version 5.2.2

Remediation:

Upgrade celery to version 5.2.2 or higher.

Completion criteria:

  • Upgrade celery to version 5.2.2 or higher.
  • Run all celery task to make scheduled tasks work OK after the upgrade
@pkfec pkfec added Security: moderate Remediate within 60 days Security: general General security concern or issue labels Jan 4, 2022
@pkfec pkfec mentioned this issue Jan 4, 2022
Closed
@patphongs patphongs added this to the Sprint 17.4 milestone Jan 10, 2022
@pkfec pkfec mentioned this issue Jan 12, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@patphongs patphongs mentioned this issue Jan 27, 2022
Closed
1 task
@cnlucas cnlucas mentioned this issue Feb 2, 2022
Closed
@hcaofec hcaofec mentioned this issue Feb 9, 2022
Closed
1 task
@patphongs patphongs mentioned this issue Feb 16, 2022
Closed
@pkfec pkfec mentioned this issue Feb 23, 2022
Closed
@fec-jli fec-jli mentioned this issue Mar 2, 2022
Closed
This was referenced Mar 9, 2022
Closed
Closed
@cnlucas cnlucas mentioned this issue Mar 23, 2022
Closed
1 task
@johnnyporkchops johnnyporkchops self-assigned this Mar 23, 2022
@johnnyporkchops johnnyporkchops mentioned this issue Mar 25, 2022
Merged
@patphongs patphongs modified the milestones: Sprint 17.4, Sprint 17.6 Mar 29, 2022
This was referenced Mar 30, 2022
Closed
Closed
@cnlucas cnlucas mentioned this issue Apr 13, 2022
Closed
@rfultz rfultz modified the milestones: Sprint 17.6, PI 17 innovation Apr 13, 2022
This was referenced Apr 20, 2022
Closed
Closed
@pkfec pkfec modified the milestones: PI 17 innovation, Sprint 18.1 May 3, 2022
@pkfec pkfec mentioned this issue May 4, 2022
Closed
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkfec pkfec

Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 18.1
Development

Successfully merging a pull request may close this issue.

[High Priority] Fix Snyk vulnerability: Upgrade celery, vine, click fecgov/openFEC
5 participants
@johnnyporkchops @pkfec @patphongs @rfultz @JonellaCulmer