Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/celery@3.0.4

Type pypi

Namespace

Name celery

Version 3.0.4

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.2.2

Latest_non_vulnerable_version 5.2.2

Affected_by_vulnerabilities

url VCID-vn2p-r6ke-sfby

vulnerability_id VCID-vn2p-r6ke-sfby

summary This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

references

reference_url	https://github.com/advisories/GHSA-q4xr-rc97-m4xx
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-q4xr-rc97-m4xx

reference_url	https://github.com/celery/celery/blob/master/Changelog.rst%23522
reference_id
reference_type
scores
url	https://github.com/celery/celery/blob/master/Changelog.rst%23522

reference_url	https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
reference_id
reference_type
scores
url	https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-23727
reference_id	CVE-2021-23727
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-23727

fixed_packages

url	pkg:pypi/celery@5.2.2
purl	pkg:pypi/celery@5.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/celery@5.2.2

aliases CVE-2021-23727, GHSA-q4xr-rc97-m4xx, PYSEC-2021-858, SNYK-PYTHON-CELERY-2314953

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vn2p-r6ke-sfby

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/celery@3.0.4

Package Instance