Candidate: CVE-2021-23727
PublicDate: 2021-12-29 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23727
 https://github.com/celery/celery/blob/master/Changelog.rst%23522
 https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
Description:
 This affects the package celery before 5.2.2. It by default trusts the
 messages and metadata stored in backends (result stores). When reading task
 metadata from the backend, the data is deserialized. Given that an attacker
 can gain access to, or somehow manipulate the metadata within a celery
 backend, they could trigger a stored command injection vulnerability and
 potentially gain further access to the system.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH]


Patches_celery:
upstream_celery: released (5.2.2)
trusty/esm_celery: needs-triage
trusty_celery: ignored (out of standard support)
xenial_celery: ignored (out of standard support)
bionic_celery: needs-triage
focal_celery: needs-triage
hirsute_celery: ignored (reached end-of-life)
impish_celery: needs-triage
jammy_celery: not-affected (5.2.3-1)
devel_celery: not-affected (5.2.3-1)