CVE-2021-23727
Command Injection vulnerability in celery (PyPI)
What is CVE-2021-23727 About?
This vulnerability affects Celery before 5.2.2, enabling command injection due to the default trust in deserialized task metadata from backends. An attacker manipulating backend metadata can execute arbitrary commands on the system, which is a critical impact and can be achieved with moderate effort if backend access is gained.
Affected Software
Technical Details
The core of this vulnerability lies in Celery's default behavior of implicitly trusting and deserializing task metadata stored in result backends. When a Celery worker processes tasks, it retrieves metadata from the backend (e.g., Redis, RabbitMQ). If an attacker can inject or alter malicious data within this metadata, such as a specially crafted payload within a task result, the deserialization process will execute arbitrary commands. Specifically, this is a stored command injection where the payload is persisted in the backend and executed upon retrieval by a Celery worker, potentially leading to remote code execution.
What is the Impact of CVE-2021-23727?
Successful exploitation may allow attackers to execute arbitrary commands on the system where Celery workers are running, potentially leading to full system compromise, data exfiltration, or further network penetration. The integrity, confidentiality, and availability of the system can be severely compromised.
What is the Exploitability of CVE-2021-23727?
Exploitation requires an attacker to gain access to, or have the ability to manipulate, the Celery backend where task metadata is stored. This could involve compromising the backend service itself or exploiting other vulnerabilities to write malicious data to it. No direct authentication to Celery is needed for the injection once backend access is achieved, as the vulnerability lies in how Celery processes the already stored data. Privileges would be those of the Celery worker process. This is primarily a local or indirect remote exploitation via the backend, and its complexity depends heavily on the security of the Celery backend.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23727?
About the Fix from Resolved Security
The patch ensures that when deserializing exceptions, only legitimate exception classes (subclasses of BaseException) are instantiated, blocking arbitrary code execution via malicious payloads. This prevents attackers from supplying dangerous modules or callables in exception data that could result in code execution, thus fixing the deserialization vulnerability identified in CVE-2021-23727.
Available Upgrade Options
- celery
- <5.2.2 → Upgrade to 5.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/celery/celery/commit/1f7ad7e6df1e02039b6ab9eec617d283598cad6b
- https://osv.dev/vulnerability/GHSA-q4xr-rc97-m4xx
- https://github.com/celery/celery/blob/master/Changelog.rst%23522
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5
- https://github.com/pypa/advisory-database/tree/main/vulns/celery/PYSEC-2021-858.yaml
- https://github.com/celery/celery/blob/master/Changelog.rst%23522
- https://github.com/celery/celery
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
- https://github.com/advisories/GHSA-q4xr-rc97-m4xx
- https://nvd.nist.gov/vuln/detail/CVE-2021-23727
What are Similar Vulnerabilities to CVE-2021-23727?
Similar Vulnerabilities: CVE-2020-11022 , CVE-2019-1002005 , CVE-2017-1000353 , CVE-2021-41133 , CVE-2020-2204
