Privilege Escalation Affecting celery package, versions [,2.2.8) [2.3.0,2.3.4) [2.4.0,2.4.4)

Threat Intelligence

0.04% (6^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-CELERY-40086
published 25 Feb 2016
disclosed 5 Dec 2011
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 5 Dec 2011

CVE-2011-4356 Open this link in a new tab CWE-264 Open this link in a new tab

Overview

celery is a Distributed Task Queue. Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High