CVE-2011-1364

Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://blog.watchfire.com/files/googleappenginesdk.pdf	Exploit
http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes	Patch
http://www.securityfocus.com/bid/50075
https://exchange.xforce.ibmcloud.com/vulnerabilities/69958
http://blog.watchfire.com/files/googleappenginesdk.pdf	Exploit
http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes	Patch
http://www.securityfocus.com/bid/50075
https://exchange.xforce.ibmcloud.com/vulnerabilities/69958

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:google:app_engine_python_sdk::::::::
	cpe:2.3:a:google:app_engine_python_sdk:1.0.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.0.2:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.0:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.2:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.3:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.4:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.5:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.6:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.7:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.8:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.1.9:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.0:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.2:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.3:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.4:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.5:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.6:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.2.7:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.0:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.2:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.3:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.4:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.5:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.6:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.7:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.3.8:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.4.0:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.4.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.4.2:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.4.3:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.5.0:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.5.1:::::::*
	cpe:2.3:a:google:app_engine_python_sdk:1.5.2:::::::*

History

21 Nov 2024, 01:26

Type	Values Removed	Values Added
References	~~() http://blog.watchfire.com/files/googleappenginesdk.pdf - Exploit~~	() http://blog.watchfire.com/files/googleappenginesdk.pdf - Exploit
References	~~() http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes - Patch~~	() http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes - Patch
References	~~() http://www.securityfocus.com/bid/50075 -~~	() http://www.securityfocus.com/bid/50075 -
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/69958 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/69958 -

Information

Published : 2011-10-30 19:55

Updated : 2024-11-21 01:26

NVD link : CVE-2011-1364

Mitre link : CVE-2011-1364

CVE.ORG link : CVE-2011-1364

JSON object : View

Products Affected

google

app_engine_python_sdk

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.8 /10