Bug 2037531 (CVE-2021-23727) - CVE-2021-23727 celery: stored command injection vulnerability may allow privileges escalation
Summary: CVE-2021-23727 celery: stored command injection vulnerability may allow privi...
Keywords:
Status: NEW
Alias: CVE-2021-23727
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2037533 2037532 2037710 2037740
Blocks: 2037535
TreeView+ depends on / blocked
 
Reported: 2022-01-05 20:22 UTC by Marian Rehak
Modified: 2022-04-23 04:26 UTC (History)
37 users (show)

Fixed In Version: celery 5.2.2
Doc Type: If docs needed, set a value
Doc Text:
A command injection vulnerability was found in the distributed task queue celery, which can lead to remote code execution. An attacker with access to backend results can reconstruct the exception class to act as a command payload which can be queried to the task to execute.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2022-01-05 20:22:48 UTC
It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

External Reference:

https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Comment 1 Marian Rehak 2022-01-05 20:23:10 UTC
Created python-celery tracking bugs for this issue:

Affects: epel-all [bug 2037533]
Affects: fedora-all [bug 2037532]

Comment 3 lnacshon 2022-01-06 12:04:02 UTC
fix:
to upgrade celery to version 5.2.2 or higher.

Comment 6 Tapas Jena 2022-01-06 14:52:45 UTC
The analysis is complete for Ansible Tower 3.8 and Controller as part of AAP 2.0. None of them are using the affected component i.e. celery(python-celery)[1]. Hence, marking it as "Not Affected".


[1] Please refer : https://github.com/ansible/tower/blob/release_3.8.6/requirements/requirements.txt


Note You need to log in before you can comment on or make changes to this bug.