GHSA-fvx8-v524-8579

Source

https://github.com/advisories/GHSA-fvx8-v524-8579

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fvx8-v524-8579

Aliases

Published

2021-06-04T21:46:52Z

Modified

2024-09-13T20:24:22.593564Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

django-celery-results Stores Sensitive Information In Cleartext

Details

django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.

In version 2.4.0 this is no longer the default behaviour but can be re-enabled with the result_extended flag in which case care should be taken to ensure any sensitive variables are scrubbed - see here for an example.

Database specific

{
    "nvd_published_at": "2020-08-11T21:15:00Z",
    "cwe_ids": [
        "CWE-312"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:40:19Z"
}

References

Affected packages

PyPI / django-celery-results

Package

Name: django-celery-results; View open source insights on deps.dev
Purl: pkg:pypi/django-celery-results

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

2.3.1