PYSEC-2011-17

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/celery/PYSEC-2011-17.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2011-17

Aliases

Published

2011-12-05T11:55:00Z

Modified

2024-05-01T17:11:36.722980Z

Summary

[none]

Details

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

References

Affected packages

PyPI / celery

Package

Name: celery; View open source insights on deps.dev
Purl: pkg:pypi/celery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1

Fixed

2.2.8

Introduced

2.3

Fixed

2.3.4

Introduced

2.4

Fixed

2.4.4

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.4.3