Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/celery@2.3.0

Type pypi

Namespace

Name celery

Version 2.3.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.2.2

Latest_non_vulnerable_version 5.2.2

Affected_by_vulnerabilities

url VCID-bajt-nqye-9ue8

vulnerability_id VCID-bajt-nqye-9ue8

summary Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

references

reference_url	http://secunia.com/advisories/46973
reference_id
reference_type
scores
url	http://secunia.com/advisories/46973

reference_url	https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt
reference_id
reference_type
scores
url	https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt

reference_url	https://github.com/ask/celery/pull/544
reference_id
reference_type
scores
url	https://github.com/ask/celery/pull/544

reference_url	http://www.securityfocus.com/bid/50825
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/50825

fixed_packages

url pkg:pypi/celery@2.3.4

purl pkg:pypi/celery@2.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vn2p-r6ke-sfby

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/celery@2.3.4

url pkg:pypi/celery@2.4.4

purl pkg:pypi/celery@2.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vn2p-r6ke-sfby

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/celery@2.4.4

aliases CVE-2011-4356, PYSEC-2011-17

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bajt-nqye-9ue8

url VCID-vn2p-r6ke-sfby

vulnerability_id VCID-vn2p-r6ke-sfby

summary This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

references

reference_url	https://github.com/advisories/GHSA-q4xr-rc97-m4xx
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-q4xr-rc97-m4xx

reference_url	https://github.com/celery/celery/blob/master/Changelog.rst%23522
reference_id
reference_type
scores
url	https://github.com/celery/celery/blob/master/Changelog.rst%23522

reference_url	https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
reference_id
reference_type
scores
url	https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-23727
reference_id	CVE-2021-23727
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-23727

fixed_packages

url	pkg:pypi/celery@5.2.2
purl	pkg:pypi/celery@5.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/celery@5.2.2

aliases CVE-2021-23727, GHSA-q4xr-rc97-m4xx, PYSEC-2021-858, SNYK-PYTHON-CELERY-2314953

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vn2p-r6ke-sfby

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/celery@2.3.0

Package Instance