celery@4.3.0rc1 vulnerabilities
Distributed Task Queue.
-
latest version
5.4.0
-
latest non vulnerable version
-
first published
16 years ago
-
latest version published
7 months ago
-
licenses detected
- [0.1.2,5.3.0b2)
Direct Vulnerabilities
Known vulnerabilities in the celery package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Race Condition through the How to fix Race Condition? Upgrade |
[,4.4.0rc5)
|
Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. PoCExample of modified metadata as stored in the result stores:
Reproduction steps in a Python shell:
The result would be an output of How to fix Stored Command Injection? Upgrade |
[,5.2.2)
|