2037531 – (CVE-2021-23727) CVE-2021-23727 celery: stored command injection vulnerability may allow privileges escalation

Bug 2037531 (CVE-2021-23727) - CVE-2021-23727 celery: stored command injection vulnerability may allow privileges escalation

Summary: CVE-2021-23727 celery: stored command injection vulnerability may allow privi...

Keywords:
Status:	NEW
Alias:	CVE-2021-23727
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2037533 2037532 2037710 2037740
Blocks:	2037535
TreeView+	depends on / blocked

Reported:	2022-01-05 20:22 UTC by Marian Rehak
Modified:	2023-07-07 08:29 UTC (History)
CC List:	34 users (show)
Fixed In Version:	celery 5.2.2
Doc Type:	If docs needed, set a value
Doc Text:	A command injection vulnerability was found in the distributed task queue celery, which can lead to remote code execution. An attacker with access to backend results can reconstruct the exception class to act as a command payload which can be queried to the task to execute.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-01-05 20:22:48 UTC

It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

External Reference:

https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Comment 1 Marian Rehak 2022-01-05 20:23:10 UTC

Created python-celery tracking bugs for this issue:

Affects: epel-all [bug 2037533]
Affects: fedora-all [bug 2037532]

Comment 3 lnacshon 2022-01-06 12:04:02 UTC

fix:
to upgrade celery to version 5.2.2 or higher.

Comment 4 Yadnyawalk Tale 2022-01-06 13:13:04 UTC

Upstream patch:
https://github.com/celery/celery/commit/5c3f1559df16c32fb8d82918b4497f688d42ad0a

Comment 6 Tapas Jena 2022-01-06 14:52:45 UTC

The analysis is complete for Ansible Tower 3.8 and Controller as part of AAP 2.0. None of them are using the affected component i.e. celery(python-celery)[1]. Hence, marking it as "Not Affected".


[1] Please refer : https://github.com/ansible/tower/blob/release_3.8.6/requirements/requirements.txt

Note You need to log in before you can comment on or make changes to this bug.

andrew
aurelien
bbuckingham
bcoca
bcourt
bkearney
caswilli
cmeyers
davidn
ehelms
fzatlouk
gblomqui
jcammara
jhardy
jobarker
jsherril
kaycoth
lzap
mabashia
mhulan
mrunge
ngompa13
nmoumoul
notting
orabin
osapryki
pcreech
pingou
rchan
relrod
rpetrell
sdoran
smcdonal
tkuratom