CVE-2021-23727
HIGHcelery < 5.2.2 - Stored Command Injection via Backend Metadata Deserialization
Title source: llmDescription
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
Broken Link, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/celery/celery/blob/master/Changelog.rst%23522
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/
Scores
CVSS v3
7.5
EPSS
0.0140
EPSS Percentile
80.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (4)
celeryproject/celery
< 5.2.2
fedoraproject/extra_packages_for_enterprise_linux
7.0
fedoraproject/fedora
35
pypi/celery
0 - 5.2.2PyPI
Published
Dec 29, 2021
Tracked Since
Feb 18, 2026