VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 5, 2011· Updated Apr 29, 2026

CVE-2011-4356

CVE-2011-4356

Description

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
celeryPyPI
>= 2.1.0, < 2.2.82.2.8
celeryPyPI
>= 2.3.0, < 2.3.42.3.4
celeryPyPI
>= 2.4.0, < 2.4.42.4.4

Affected products

17
  • Celeryproject/Celery17 versions
    cpe:2.3:a:celeryproject:celery:2.1.0:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:celeryproject:celery:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:celeryproject:celery:2.4.3:*:*:*:*:*:*:*

Patches

3
53514b158b74

Root warning should use getuid not geteuid

https://github.com/celery/celeryAsk SolemNov 24, 2011via ghsa
commit
1 file changed · +2 2
  • celery/apps/worker.py+2 2 modified
    @@ -130,9 +130,9 @@ def run(self):
         self.worker_init()
         self.redirect_stdouts_to_logger()
 
-        if getattr(os, "geteuid", None) and os.geteuid() == 0:
+        if getattr(os, "getuid", None) and os.getuid() == 0:
             warnings.warn(
-                "Running celeryd with superuser privileges is not encouraged!")
+                "Running celeryd with superuser privileges is discouraged!")
 
         if self.discard:
             self.purge_messages()
73388921731a

Root warning should use getuid not geteuid

https://github.com/celery/celeryAsk SolemNov 24, 2011via ghsa
commit
1 file changed · +2 2
  • celery/apps/worker.py+2 2 modified
    @@ -119,9 +119,9 @@ def run(self):
         self.worker_init()
         self.redirect_stdouts_to_logger()
 
-        if getattr(os, "geteuid", None) and os.geteuid() == 0:
+        if getattr(os, "getuid", None) and os.getuid() == 0:
             warnings.warn(
-                "Running celeryd with superuser privileges is not encouraged!")
+                "Running celeryd with superuser privileges is discouraged!")
 
         if self.discard:
             self.purge_messages()
e0767e409947

Root warning should use getuid not geteuid

https://github.com/celery/celeryAsk SolemNov 24, 2011via ghsa
commit
1 file changed · +2 2
  • celery/apps/worker.py+2 2 modified
    @@ -124,9 +124,9 @@ def run(self):
         self.worker_init()
         self.redirect_stdouts_to_logger()
 
-        if getattr(os, "geteuid", None) and os.geteuid() == 0:
+        if getattr(os, "getuid", None) and os.getuid() == 0:
             warnings.warn(
-                "Running celeryd with superuser privileges is not encouraged!")
+                "Running celeryd with superuser privileges is discouraged!")
 
         if self.discard:
             self.purge_messages()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.