Main Vulnerability Database Vulnerabilities #VU82326

Command Injection in celery - CVE-2021-23727

Published: October 24, 2023

Vulnerability identifier: #VU82326

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-23727

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Celery

Affected software:
celery

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to celery by default trusts the messages and metadata stored in backends (result stores). A remote user can trigger the vulnerability and execute arbitrary code on the target system.

How to mitigate CVE-2021-23727

Install updates from vendor's website.

Sources

https://github.com/celery/celery/blob/master/Changelog.rst%23522
https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/

Command Injection in celery - CVE-2021-23727

Detailed vulnerability description

How to mitigate CVE-2021-23727

Sources

Please verify you're human