{"id":"PYSEC-2011-17","details":"Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.","aliases":["CVE-2011-4356","GHSA-rpc6-h455-3rx5"],"modified":"2024-05-01T17:12:43.943311Z","published":"2011-12-05T11:55:00Z","references":[{"type":"WEB","url":"https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt"},{"type":"WEB","url":"https://github.com/ask/celery/pull/544"},{"type":"ADVISORY","url":"http://secunia.com/advisories/46973"},{"type":"WEB","url":"http://www.securityfocus.com/bid/50825"}],"affected":[{"package":{"name":"celery","ecosystem":"PyPI","purl":"pkg:pypi/celery"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.1"},{"fixed":"2.2.8"},{"introduced":"2.3"},{"fixed":"2.3.4"},{"introduced":"2.4"},{"fixed":"2.4.4"}]}],"versions":["2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.3.0","2.3.1","2.3.2","2.3.3","2.4.0","2.4.1","2.4.2","2.4.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/celery/PYSEC-2011-17.yaml"}}],"schema_version":"1.7.3"}