EIQ-2022-0001#

ID

EIQ-2022-0001

CVE

CVE-2021-23727

Description

Celery ≤ 5.2.1 is vulnerable to stored command injection

Date

6 January 2022

Severity

2 - MEDIUM

CVSSv3 score

6.6

Status

✅ 2.12.0

Assessment

Celery 5.2.1 and earlier is vulnerable to stored command injection. An attacker can store a malicious command as task metadata in the Celery backend. When an exception is triggered, celery deserializes and reads that particular task’s metadata, consequently executing the malicious command.

To exploit this vulnerability, the attacker must have direct access to the Celery backend.

The Intelligence Center uses Redis as its Celery backend, and partially mitigates this vulnerability with the following defaults:

  • Secured with a generated password stored at /etc/eclecticiq-redis/local.conf.

  • Bound to 127.0.0.1 for single-machine installations, allowing only local access.

Full mitigation requires an upgrade to Celery 5.2.2 and later.

Mitigated on Hosted Intelligence Center instances; Redis instances cannot be accessed externally.

Affected versions of the Intelligence Center:

  • IC 2.11.x: Celery 5.0.5

  • IC 2.10.x: Celery 5.0.5

  • IC 2.9.x: Celery 4.4.6

Mitigation

Upgrade to IC 2.12.0. See assessment for mitigation on 2.11.x and earlier.

Affected versions

2.11.x and earlier

Notes

N/A