CVE-2011-4356 : Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

Published 2011-12-05 11:55:07

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2011-4356

Celeryproject » Celery » Version: 2.3.1
cpe:2.3:a:celeryproject:celery:2.3.1:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.3.2
cpe:2.3:a:celeryproject:celery:2.3.2:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.3.3
cpe:2.3:a:celeryproject:celery:2.3.3:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.4.0
cpe:2.3:a:celeryproject:celery:2.4.0:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.1
cpe:2.3:a:celeryproject:celery:2.2.1:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.1.0
cpe:2.3:a:celeryproject:celery:2.1.0:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.3.0
cpe:2.3:a:celeryproject:celery:2.3.0:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.4.1
cpe:2.3:a:celeryproject:celery:2.4.1:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.4.3
cpe:2.3:a:celeryproject:celery:2.4.3:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.3
cpe:2.3:a:celeryproject:celery:2.2.3:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.4
cpe:2.3:a:celeryproject:celery:2.2.4:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.5
cpe:2.3:a:celeryproject:celery:2.2.5:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.6
cpe:2.3:a:celeryproject:celery:2.2.6:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.2
cpe:2.3:a:celeryproject:celery:2.2.2:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.7
cpe:2.3:a:celeryproject:celery:2.2.7:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.2.0
cpe:2.3:a:celeryproject:celery:2.2.0:*:*:*:*:*:*:*
Matching versions
Celeryproject » Celery » Version: 2.4.2
cpe:2.3:a:celeryproject:celery:2.4.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-4356

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 11 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-4356

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2011-4356

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-4356

https://github.com/ask/celery/pull/544

Page not found · GitHub · GitHub
https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt

celery/CELERYSA-0001.txt at master · ask/celery · GitHub
Patch
http://secunia.com/advisories/46973

Sign in
http://www.securityfocus.com/bid/50825

Celery Argument Processing Local Privilege Escalation Vulnerability

Jump to

Vulnerability Details : CVE-2011-4356

Products affected by CVE-2011-4356

Exploit prediction scoring system (EPSS) score for CVE-2011-4356

CVSS scores for CVE-2011-4356

CWE ids for CVE-2011-4356

References for CVE-2011-4356