Home > Vulnerability Database > CVE-2022-30034

Mend.io Vulnerability Database

CVE-2022-30034

Good to know:

Date: May 31, 2022

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.

Language: Python

Severity Score

8.6

Related Resources (8)

Url: http://githubcommherflower.com

Url: https://tprynn.github.io/2022/05/26/flower-vulns.html

Url: https://github.com/mher/flower/pull/1216

Url: https://github.com/mher/flower

Url: https://github.com/mher/flower/issues/1217

Url: https://github.com/pypa/advisory-database/tree/main/vulns/flower/PYSEC-2022-42973.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-30034

Url: https://www.mend.io/vulnerability-database/CVE-2022-30034

Severity Score

8.6

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version flower - 1.2.0

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-30034

Good to know:

Date: May 31, 2022

Language: Python

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?