CVE-2011-4356

EUVD-2011-0002
Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.9 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
celeryprojectcelery
2.1.0
celeryprojectcelery
2.2.0
celeryprojectcelery
2.2.1
celeryprojectcelery
2.2.2
celeryprojectcelery
2.2.3
celeryprojectcelery
2.2.4
celeryprojectcelery
2.2.5
celeryprojectcelery
2.2.6
celeryprojectcelery
2.2.7
celeryprojectcelery
2.3.0
celeryprojectcelery
2.3.1
celeryprojectcelery
2.3.2
celeryprojectcelery
2.3.3
celeryprojectcelery
2.4.0
celeryprojectcelery
2.4.1
celeryprojectcelery
2.4.2
celeryprojectcelery
2.4.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
celery
bookworm
5.2.6-5
fixed
bullseye
5.0.0-3
fixed
sid
5.4.0-2.1
fixed
trixie
5.4.0-2
fixed
Common Weakness Enumeration
References
http://secunia.com/advisories/46973
http://www.securityfocus.com/bid/50825
https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt
https://github.com/ask/celery/pull/544
http://secunia.com/advisories/46973
http://www.securityfocus.com/bid/50825
https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt
https://github.com/ask/celery/pull/544