Google App Engine Python SDK Code Execution

Aleph Research Advisory

Identifier

CVE-2011-1364

Severity

High

Product

Google App Engine SDK for Python

Mitigation

Upgrade to version 1.5.4 or later.

Technical Details

By combining a CSRF vulnerability in the administration web UI, with some other vulnerabilities in the Google python libraries, a remote attacker could gain remote code execution privileges on victim’s machine. This vulnerability affects all operation systems running Google App Engine SDK for python (i.e. Windows, Mac OS, etc.).

Timeline

01-Mar-17
: Added as ALEPH-2011005.
11-Oct-11
: Public disclosure.

Credit

Adi Sharabani (@adisharabani)

External References

paper