-
|
Hi, Is it safe to upgrade celery to the latest version? Versions < 5.2 are vulnerable to Stored Command Injection as per https://github.com/celery/celery/blob/master/Changelog.rst Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
It should be safe to upgrade. Please note that the vulnerability is not exploitable without access to the Celery results backend (for Weblate it is most likely redis). That would indicate severe security issue in the infrastructure, and the attacker would be most likely able to exploit that in simpler means than via CVE-2021-23727. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the prompt reply and explanation! |
Beta Was this translation helpful? Give feedback.
-
|
Also, Weblate 4.10 officially supports Celery 5.2.x: Line 3 in e93c81d |
Beta Was this translation helpful? Give feedback.
It should be safe to upgrade.
Please note that the vulnerability is not exploitable without access to the Celery results backend (for Weblate it is most likely redis). That would indicate severe security issue in the infrastructure, and the attacker would be most likely able to exploit that in simpler means than via CVE-2021-23727.