eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a "gcloud compute" command.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Isucon
  • Isucon 5 Qualifier Eventapp

Configuration 1 [-]

cpe:2.3:a:isucon:isucon_5_qualifier_eventapp:-:*:*:*:*:*:*:*

No data.

References
Link Providers
http://jvn.jp/en/jp/JVN04281281/index.html cve-icon cve-icon
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175 cve-icon cve-icon
https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa cve-icon cve-icon
https://github.com/isucon/isucon5-qualify/pull/5 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2015-11-04T02:00:00

Updated: 2024-08-06T06:59:04.130Z

Reserved: 2015-07-24T00:00:00

Link: CVE-2015-5673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2015-11-04T03:59:05.747

Modified: 2015-11-04T19:41:02.367

Link: CVE-2015-5673

cve-icon Redhat

No data.