GHSA-rpc6-h455-3rx5

Source

https://github.com/advisories/GHSA-rpc6-h455-3rx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rpc6-h455-3rx5/GHSA-rpc6-h455-3rx5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rpc6-h455-3rx5

Aliases

Published

2022-05-17T05:36:00Z

Modified

2024-12-08T05:32:12.259859Z

Summary

Celery local privilege escalation vulnerability

Details

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

Database specific

{
    "nvd_published_at": "2011-12-05T11:55:00Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T16:44:52Z"
}

References

Affected packages

PyPI / celery

Package

Name: celery; View open source insights on deps.dev
Purl: pkg:pypi/celery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.2.8

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

PyPI / celery

Package

Name: celery; View open source insights on deps.dev
Purl: pkg:pypi/celery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.4

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

PyPI / celery

Package

Name: celery; View open source insights on deps.dev
Purl: pkg:pypi/celery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.4

Affected versions

2.*

2.4.0

2.4.1

2.4.2

2.4.3