Name | CVE-2020-17495 |
Description | django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 968305 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
python-django-celery-results (PTS) | buster | 1.0.4-1 | vulnerable |
| bullseye | 2.0.0-1 | vulnerable |
| bookworm | 2.4.0-3 | vulnerable |
| sid, trixie | 2.5.1-2.1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
https://github.com/celery/django-celery-results/issues/142
Disputed upstream as security vulnerablity, as it is up to the developers who uses
sensitive information when calling celery tasks to provide suitable replacement argument
through argsrepr and kwargsrepr as described in:
https://github.com/celery/django-celery-results/issues/154#issuecomment-734706270