Descriptiondjango-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs968305

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django-celery-results (PTS)bullseye2.0.0-1vulnerable
sid, trixie2.5.1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Disputed upstream as security vulnerablity, as it is up to the developers who uses
sensitive information when calling celery tasks to provide suitable replacement argument
through argsrepr and kwargsrepr as described in:

Search for package or bug name: Reporting problems