CVE-2020-17495: django-celery-results Stores Sensitive Information In Cleartext
(updated )
django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
In version 2.4.0 this is no longer the default behaviour but can be re-enabled with the result_extended flag in which case care should be taken to ensure any sensitive variables are scrubbed - see here for an example.
References
- github.com/advisories/GHSA-fvx8-v524-8579
- github.com/celery/django-celery-results
- github.com/celery/django-celery-results/commit/ad508fe3433499e5fc94645412d911e174863f28
- github.com/celery/django-celery-results/issues/142
- github.com/celery/django-celery-results/issues/154
- github.com/celery/django-celery-results/pull/316
- github.com/pypa/advisory-database/tree/main/vulns/django-celery-results/PYSEC-2020-38.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-17495
Detect and mitigate CVE-2020-17495 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →