VDB
CVE-2021-23727
CVE-2021-23727
PUBLISHED
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
EPSS 1.40% · 80.7th percentile
Risk Scores
EPSS Score
1.40%
80.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | celery | 0, 4.2.1-5ubuntu1, 4.2.1-5fakesync1 |
| Ubuntu:24.04:LTS | celery | 0, 5.3.4-1, 5.3.6-1 |
| Ubuntu:16.04:LTS | celery | 3.1.18-1ubuntu1, 0, 3.1.20-1 |
| Ubuntu:18.04:LTS | celery | 0, 4.1.0-2ubuntu1, 4.0.2-0ubuntu1 |
| Ubuntu:14.04:LTS | celery | 0, 2.5.3-4ubuntu1, 3.1.6-1ubuntu1 |
Timeline
- Dec 29, 2021 CVE Published
- Dec 30, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 17, 2022 EPSS Score
- Jun 9, 2022 EPSS Score
- Aug 3, 2022 EPSS Score
- Sep 26, 2022 EPSS Score
- Jan 11, 2023 EPSS Score
- Mar 6, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 29, 2023 EPSS Score
- Aug 14, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23727 third-party-advisory
- https://github.com/celery/celery/blob/master/Changelog.rst%23522 third-party-advisory
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23727 third-party-advisory