CVE-2015-5673

Published: Nov 4, 2015Modified: May 6, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a "gcloud compute" command.

Affected (1)

Products: Isucon: Isucon 5 Qualifier Eventapp

1 product

Isucon 5 Qualifier Eventapp

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Isucon Isucon 5 Qualifier Eventapp	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (8)

http://jvn.jp/en/jp/JVN04281281/index.html

Source: vultures@jpcert.or.jp

Vendor Advisory

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175

Source: vultures@jpcert.or.jp

Vendor Advisory

https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa

Source: vultures@jpcert.or.jp

https://github.com/isucon/isucon5-qualify/pull/5

Source: vultures@jpcert.or.jp

http://jvn.jp/en/jp/JVN04281281/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/isucon/isucon5-qualify/pull/5

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.