Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2021-23727

High

7.5/10

Summary

This affects the package celery 4.2.1 through 5.2.1. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-77 - Command Injection

A command injection attack involves injecting an operating system command through the data input, which gets executed on the host operating system with the privileges of the victimized application. The impact of a command injection attack may range from loss of data confidentiality and integrity to unauthorized remote access to the hosting system. The attack may cause serious data breaches and system takeover.

References

Advisory Timeline

Published Dec 29, 2021

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2021-23727

Summary

CWE-77 - Command Injection

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS