Privilege Escalation in Google App Engine Python SDK by Google
CVE-2011-4212

Currently unrated

Key Information:

Vendor: Google
Status: App Engine Python Sdk
Vendor: CVE Published:; 30 October 2011

Summary

The Google App Engine Python SDK prior to version 1.5.4 contains a vulnerability in its sandbox environment that improperly restricts access to the os.popen function. This flaw enables local users to execute arbitrary commands by exploiting the dev_appserver with the RestrictedPathFunction._original_os reference in the code parameter to _ah/admin/interactive/execute. This creates a serious security risk as it allows unauthorized command execution, counter to the intended design of the platform.

References

http://code.google.com/p/googleappengine/wiki/SdkReleaseN...

x_refsource_MISC

http://blog.watchfire.com/files/googleappenginesdk.pdf

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/71063

vdb-entryx_refsource_XF

Timeline

Vulnerability published
Oct 30, 2011
Vulnerability Reserved
Oct 30, 2011