CVE-2022-30034 – CVE-2022-30034 is an OAuth authentication bypas... (How to Fix)

Q: What is the severity of CVE-2022-30034?

CVE-2022-30034 has a CVSS score of 8.6 (HIGH). CVE-2022-30034 is an OAuth authentication bypass vulnerability in Flower, the web UI for Celery Python RPC framework. This allows attackers to bypass authentication and access the Flower API to discover and invoke arbitrary Celery RPC calls or shut down task nodes, potentially leading to remote code execution or denial of service. All Flower installations as of May 2, 2022 are affected.

📋 TL;DR

CVE-2022-30034 is an OAuth authentication bypass vulnerability in Flower, the web UI for Celery Python RPC framework. This allows attackers to bypass authentication and access the Flower API to discover and invoke arbitrary Celery RPC calls or shut down task nodes, potentially leading to remote code execution or denial of service. All Flower installations as of May 2, 2022 are affected.

💻 Affected Systems

Products:

Flower (Celery monitoring tool)

Versions: All versions as of 2022-05-02

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Flower installations using OAuth authentication. Non-OAuth configurations are not affected.

📦 What is this software?

Flower by Flower Project

View all CVEs affecting Flower →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control over Celery infrastructure, execute arbitrary code through RPC calls, exfiltrate sensitive data, and cause complete service disruption by shutting down all task nodes.

🟠

Likely Case

Unauthorized access to Flower dashboard, discovery of internal task workflows, potential data exposure from task results, and targeted denial of service against specific Celery nodes.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls, though the vulnerability still exists in the application layer.

🌐 Internet-Facing: HIGH - Internet-facing Flower instances are directly exploitable without authentication, allowing complete compromise of the Celery infrastructure.

🏢 Internal Only: MEDIUM - Internal instances still pose significant risk if attackers gain internal network access, but require initial foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in GitHub issues and security write-ups. Exploitation requires network access to Flower instance but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.2.0 and later

Vendor Advisory: https://github.com/mher/flower/issues/1217

Restart Required: Yes

Instructions:

1. Upgrade Flower to version 1.2.0 or later using pip: 'pip install --upgrade flower>=1.2.0'. 2. Restart the Flower service. 3. Verify OAuth configuration is properly secured.

🔧 Temporary Workarounds

Disable OAuth Authentication

all

Temporarily disable OAuth authentication and use alternative authentication methods or restrict access

Configure Flower without OAuth: remove or comment OAuth settings in flower configuration

Network Access Restriction

linux

Restrict network access to Flower instance using firewall rules

iptables -A INPUT -p tcp --dport 5555 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5555 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation: Place Flower behind VPN or internal network with no internet exposure
Deploy Web Application Firewall (WAF) with rules to block unauthorized API access patterns

🔍 How to Verify

Check if Vulnerable:

Check Flower version: if version < 1.2.0 and OAuth is enabled, the system is vulnerable. Also check if unauthorized API access is possible without valid OAuth tokens.

Check Version:

flower --version  # or check pip list: pip show flower | grep Version

Verify Fix Applied:

Verify Flower version is 1.2.0 or higher: 'flower --version'. Test that OAuth authentication properly rejects unauthorized requests.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Flower API endpoints
OAuth authentication failures followed by successful API calls
Unusual RPC task invocations from unknown sources

Network Indicators:

HTTP requests to Flower API endpoints without proper authentication headers
Unusual traffic patterns to Flower port (default 5555) from unexpected sources

SIEM Query:

source="flower.log" AND ("401" OR "403") AND ("POST /api" OR "GET /api") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-30034

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-287

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

http://githubcommherflower.com Broken Link,URL Repurposed
https://github.com/mher/flower/issues/1217 Exploit,Issue Tracking
https://tprynn.github.io/2022/05/26/flower-vulns.html Exploit,Third Party Advisory
http://githubcommherflower.com Broken Link,URL Repurposed
https://github.com/mher/flower/issues/1217 Exploit,Issue Tracking
https://tprynn.github.io/2022/05/26/flower-vulns.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30034, you might also want to check these: