CVE-2021-23727
OS Command Injection in celery
7.5
HIGH
CVSS 3.1
EPSS 1.4%
Description
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
How to fix CVE-2021-23727
To remediate CVE-2021-23727, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.2.2 or later
- —upgrade to 5.2.2 or later
Is CVE-2021-23727 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 5.2.2
- from 0, < 5.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |