Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2011-4213

The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

Published

2011-10-30T19:55:01.053

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.2 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	google	app_engine_python_sdk	< 1.5.4	Yes

References

http://blog.watchfire.com/files/googleappenginesdk.pdf Exploit ([email protected])
http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes Patch ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/71062 VDB Entry ([email protected])
http://blog.watchfire.com/files/googleappenginesdk.pdf Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes Patch (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/71062 VDB Entry (af854a3a-2127-422b-91ae-364da2661108)