CVE-2021-23727: OS Command Injection in celery

December 29, 2021 (updated November 7, 2023)

This affects the package celery It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

References

github.com/advisories/GHSA-q4xr-rc97-m4xx
github.com/celery/celery/blob/master/Changelog.rst%23522
nvd.nist.gov/vuln/detail/CVE-2021-23727
snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Detect and mitigate CVE-2021-23727 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →