Celery local privilege escalation vulnerability
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Sep 6, 2024
Package
Affected versions
>= 2.1.0, < 2.2.8
>= 2.3.0, < 2.3.4
>= 2.4.0, < 2.4.4
Patched versions
2.2.8
2.3.4
2.4.4
Description
Published by the National Vulnerability Database
Dec 5, 2011
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
May 1, 2024
Last updated
Sep 6, 2024
Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.
References