CVE-2021-23727:
OS Command Injection in celery
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83011%
CWE
Published
1/6/2022
Updated
9/6/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
celery | pip | < 5.2.2 | 5.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the exception_to_python method in the base backend class. The pre-patch code would: 1) Dynamically load any Python class specified in 'exc_module'/'exc_type' metadata 2) Instantiate it with user-controlled 'exc_message' arguments. The security fix added critical validation (isinstance(cls, type) and issubclass(cls, BaseException)) to prevent non-exception classes from being instantiated. The commit message and CVE description explicitly reference this function as the injection point when processing manipulated task failure metadata from result stores.