CVE-2021-23727
Description
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.148
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-23727 are fixed in Python-celery 5.2.2 | Windows |
| Vulnerabilities CVE-2021-23727 are fixed in Python-celery for linux 5.2.2 | Linux |
| Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability (CVE-2021-23727) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234