CVE-2011-4213
Summary
| CVE | CVE-2011-4213 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2011-10-30 19:55:00 UTC |
| Updated | 2019-04-10 15:14:00 UTC |
| Description | The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | App Engine Python Sdk | All | All | All | All | |
| Application | App Engine Python Sdk | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| SdkReleaseNotes - googleappengine - Google App Engine Python SDK Release Notes - Google App Engine - Google Project Hosting | MISC | code.google.com | Patch |
| Access denied | blog.watchfire.com used Cloudflare to restrict access | MISC | blog.watchfire.com | Exploit |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.