EIQ-2022-0001
ID |
EIQ-2022-0001 |
||||||||
CVE |
|||||||||
Description |
Celery ≤5.2.1 is vulnerable to stored command injection |
||||||||
Date |
6 January 2022 |
||||||||
Severity |
2 - MEDIUM |
||||||||
CVSSv3 score |
|||||||||
Status |
2.12.0 |
||||||||
Assessment |
Celery 5.2.1 and earlier is vulnerable to stored command injection. An attacker can store a malicious command as task metadata in the Celery backend. When an exception is triggered, celery deserializes and reads that particular task’s metadata, consequently executing the malicious command. To exploit this vulnerability, the attacker must have direct access to the Celery backend. The Intelligence Center uses Redis as its Celery backend, and partially mitigates this vulnerability with the following defaults:
Full mitigation requires an upgrade to Celery 5.2.2 and later. Mitigated on Hosted Intelligence Center instances; Redis instances cannot be accessed externally. Affected versions of the Intelligence Center:
|
||||||||
Mitigation |
Upgrade to IC 2.12.0. See assessment for mitigation on 2.11.x and earlier. |
||||||||
Affected versions |
2.11.x and earlier |
||||||||
Notes |
N/A |