A vulnerability classified as critical was found in Google App Engine Python SDK up to 1.0.1 (Programming Language Software). Affected by this vulnerability is some unknown functionality of the component Access Restriction. The manipulation of the argument code with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-264. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

The FakeFile implementation in the sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly control the opening of files, which allows local users to bypass intended access restrictions and create arbitrary files via ALLOWED_MODES and ALLOWED_DIRS changes within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

The weakness was disclosed 10/30/2011 as tp://co (Website). The advisory is shared at code.google.com. This vulnerability is known as CVE-2011-4211 since 10/30/2011. The exploitation appears to be easy. An attack has to be approached locally. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 1.0.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (71064). The entries 3516, 47987, 47513 and 50835 are pretty similar.

Productinfo

Type

• Programming Language Software

Vendor

• Google

Name

• App Engine Python SDK

Version

• 1.0.0
• 1.0.1

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion