celery@4.4.0rc1 vulnerabilities

Distributed Task Queue.

latest version

5.4.0
latest non vulnerable version

5.4.0
first published

15 years ago
latest version published

18 days ago
licenses detected
- BSD-2-Clause
  [0.1.2,5.3.0b2)
View celery package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the celery package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Race Condition Affected versions of this package are vulnerable to Race Condition through the `canvas.py` component during the publishing of very large chord headers. How to fix Race Condition? Upgrade `celery` to version 4.4.0rc5 or higher.	[,4.4.0rc5)
M Stored Command Injection Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. PoC Example of modified metadata as stored in the result stores: `'status': 'FAILURE', 'result': json.dumps({ 'exc_module': 'os', 'exc_type': 'system', 'exc_message': 'id' }) }` Reproduction steps in a Python shell: `from celery.backends.base import Backend from celery import Celery b = Backend(Celery()) exc = {'exc_module':'os', 'exc_type':'system', 'exc_message':'id'} b.exception_to_python(exc)` The result would be an output of `os.system('id')`. How to fix Stored Command Injection? Upgrade `celery` to version 5.2.2 or higher.	[,5.2.2)

Race Condition

Affected versions of this package are vulnerable to Race Condition through the canvas.py component during the publishing of very large chord headers.

How to fix Race Condition?

Upgrade celery to version 4.4.0rc5 or higher.

[,4.4.0rc5)

Stored Command Injection

Affected versions of this package are vulnerable to Stored Command Injection. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

PoC

Example of modified metadata as stored in the result stores:

'status': 'FAILURE',
'result': json.dumps({
  'exc_module': 'os',
  'exc_type': 'system',
  'exc_message': 'id'
  })
}

Reproduction steps in a Python shell:

from celery.backends.base import Backend
from celery import Celery
b = Backend(Celery())
exc = {'exc_module':'os',  'exc_type':'system', 'exc_message':'id'}
b.exception_to_python(exc)

The result would be an output of os.system('id').

How to fix Stored Command Injection?

Upgrade celery to version 5.2.2 or higher.

[,5.2.2)

Go back to all versions of this package

celery@4.4.0rc1 vulnerabilities

Distributed Task Queue.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC