{"api_version":"1","generated_at":"2026-04-22T21:27:05+00:00","cve":"CVE-2011-4213","urls":{"html":"https://cve.report/CVE-2011-4213","api":"https://cve.report/api/cve/CVE-2011-4213.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2011-4213","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2011-4213"},"summary":{"title":"CVE-2011-4213","description":"The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2011-10-30 19:55:00","updated_at":"2019-04-10 15:14:00"},"problem_types":["CWE-264"],"metrics":[],"references":[{"url":"http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes","name":"http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes","refsource":"MISC","tags":["Patch"],"title":"SdkReleaseNotes - \n googleappengine -\n \n Google App Engine Python SDK Release Notes - \n Google App Engine - Google Project Hosting","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://blog.watchfire.com/files/googleappenginesdk.pdf","name":"http://blog.watchfire.com/files/googleappenginesdk.pdf","refsource":"MISC","tags":["Exploit"],"title":"Access denied | blog.watchfire.com used Cloudflare to restrict access","mime":"text/html","httpstatus":"403","archivestatus":"403"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71062","name":"google-apps-osmodule-priv-esc(71062)","refsource":"XF","tags":["VDB Entry"],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2011-4213","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4213","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2011","cve_id":"4213","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"app_engine_python_sdk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4213","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"app_engine_python_sdk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2011-4213","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes","refsource":"MISC","url":"http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes"},{"name":"http://blog.watchfire.com/files/googleappenginesdk.pdf","refsource":"MISC","url":"http://blog.watchfire.com/files/googleappenginesdk.pdf"},{"name":"google-apps-osmodule-priv-esc(71062)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/71062"}]}},"nvd":{"publishedDate":"2011-10-30 19:55:00","lastModifiedDate":"2019-04-10 15:14:00","problem_types":["CWE-264"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:C/I:C/A:C","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":7.2},"severity":"HIGH","exploitabilityScore":3.9,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:google:app_engine_python_sdk:*:*:*:*:*:*:*:*","versionEndExcluding":"1.5.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2011","CveId":"4213","Ordinal":"51620","Title":"CVE-2011-4213","CVE":"CVE-2011-4213","Year":"2011"},"notes":[{"CveYear":"2011","CveId":"4213","Ordinal":"1","NoteData":"The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.","Type":"Description","Title":null},{"CveYear":"2011","CveId":"4213","Ordinal":"2","NoteData":"2011-10-30","Type":"Other","Title":"Published"},{"CveYear":"2011","CveId":"4213","Ordinal":"3","NoteData":"2017-08-28","Type":"Other","Title":"Modified"}]}}}