CVE-2020-17495

NameCVE-2020-17495
Descriptiondjango-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs968305

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django-celery-results (PTS)buster1.0.4-1vulnerable
bullseye2.0.0-1vulnerable
bookworm, sid2.4.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-django-celery-resultssource(unstable)(unfixed)unimportant968305

Notes

https://github.com/celery/django-celery-results/issues/142
Disputed upstream as security vulnerablity, as it is up to the developers who uses
sensitive information when calling celery tasks to provide suitable replacement argument
through argsrepr and kwargsrepr as described in:
https://github.com/celery/django-celery-results/issues/154#issuecomment-734706270
Search for package or bug name: Reporting problems