CVE-2022-30034
Authentication Bypass vulnerability in flower (PyPI)
What is CVE-2022-30034 About?
This vulnerability in Flower, the web UI for Celery, allows an OAuth authentication bypass. An attacker can unauthorizedly access the Flower API, enabling discovery and invocation of arbitrary Celery RPC calls or denial of service by shutting down Celery nodes. Exploitation is remote and can lead to significant control over the Celery infrastructure.
Affected Software
Technical Details
Flower, the web UI for the Celery Python RPC framework, specifically in all versions as of May 2, 2022, is vulnerable to an OAuth authentication bypass. This flaw allows an attacker to circumvent the intended authentication mechanism, gaining unauthorized access to the Flower API. The precise technical details of the bypass would depend on the implementation specifics of the OAuth integration within Flower. However, the general principle is that a defect in the OAuth flow validation permits an attacker to simulate a successful authentication or directly access API endpoints without proper authorization tokens. Once authenticated, the attacker can leverage the Flower API's capabilities to list active Celery tasks and workers, inspect internal states, and more critically, invoke arbitrary Celery RPC calls. This direct access to the RPC framework allows for command execution, data manipulation, or even initiating a denial of service by shutting down worker nodes, effectively taking the Celery infrastructure offline.
What is the Impact of CVE-2022-30034?
Successful exploitation may allow attackers to bypass authentication, gain unauthorized access to the Flower API, which can lead to discovery and execution of arbitrary RPC calls or denial of service by shutting down Celery task nodes.
What is the Exploitability of CVE-2022-30034?
Exploitation of this vulnerability is remote and, by definition, bypasses an authentication mechanism, meaning no prior authentication is required. The complexity would involve identifying and leveraging the specific flaw in the OAuth authentication implementation. There are no special privilege requirements, as the vulnerability itself grants unauthorized access. The attacker would need to communicate directly with the Flower web UI. The risk factor is severe due to the remote nature and the complete bypass of security controls, granting extensive control over the Celery environment.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-30034?
About the Fix from Resolved Security
This patch introduces stricter pattern validation and safer authentication logic to prevent unauthorized access via crafted email addresses, addressing CVE-2022-30034. The vulnerability was caused by insecure use of regular expressions for email matching, allowing attackers to bypass authentication with emails like "admin@corp.com.attacker.com"; the fix defines an explicit matching function, restricts supported patterns, and enforces validation to prevent regex injection.
Available Upgrade Options
- flower
- <1.2.0 → Upgrade to 1.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mher/flower/issues/1217
- https://github.com/mher/flower/issues/1217
- https://nvd.nist.gov/vuln/detail/CVE-2022-30034
- http://githubcommherflower.com
- https://github.com/pypa/advisory-database/tree/main/vulns/flower/PYSEC-2022-42973.yaml
- https://osv.dev/vulnerability/PYSEC-2022-42973
- https://osv.dev/vulnerability/GHSA-q4qm-xhf9-4p8f
- http://githubcommherflower.com
- https://github.com/mher/flower
- https://github.com/mher/flower/pull/1216
What are Similar Vulnerabilities to CVE-2022-30034?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2021-41223 , CVE-2020-14361 , CVE-2019-14379
