vuln-list-alt/oval/c10f1/ALT-PU-2024-15269/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:202415269",
      "Version": "oval:org.altlinux.errata:def:202415269",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2024-15269: package `python3-module-celery` update to version 5.3.6-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c10f1"
            ],
            "Products": [
              "ALT SP Workstation",
              "ALT SP Server"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2024-15269",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2024-15269",
            "Source": "ALTPU"
          },
          {
            "RefID": "CVE-2021-23727",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-23727",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades python3-module-celery to version 5.3.6-alt1. \nSecurity Fix(es):\n\n * CVE-2021-23727: This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2024-11-11"
          },
          "Updated": {
            "Date": "2024-11-11"
          },
          "BDUs": null,
          "CVEs": [
            {
              "ID": "CVE-2021-23727",
              "CVSS": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-77",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-23727",
              "Impact": "High",
              "Public": "20211229"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:spworkstation:10",
              "cpe:/o:alt:spserver:10"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:4001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:202415269001",
                "Comment": "python3-module-celery is earlier than 0:5.3.6-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202415269002",
                "Comment": "python3-module-celery-sphinx is earlier than 0:5.3.6-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}