CVE DATABASE / CVE-2022-30034
CVE-2022-30034
CVSS 8.6 · HIGH
Summary
Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.
CVSS 3.1 breakdown
| Base score | 8.6 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity | LOW |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Flower_project flower
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://githubcommherflower.com
- https://github.com/mher/flower/issues/1217
- https://tprynn.github.io/2022/05/26/flower-vulns.html
Data: NIST NVD. NVD last modified 2024-11-21. Always verify against the vendor advisory before acting.