CVE-2015-5673 - Vulnerability Details - OpenCVE

eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a "gcloud compute" command.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Isucon	Isucon 5 Qualifier Eventapp

Configuration 1 [-]

cpe:2.3:a:isucon:isucon_5_qualifier_eventapp:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://jvn.jp/en/jp/JVN04281281/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175
https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa
https://github.com/isucon/isucon5-qualify/pull/5

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2015-11-04T02:00:00

Updated: 2024-08-06T06:59:04.130Z

Reserved: 2015-07-24T00:00:00

Link: CVE-2015-5673

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-11-04T03:59:05.747

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-5673

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a \"gcloud compute\" command."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-11-04T02:57:01", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"name": "JVNDB-2015-000175", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/isucon/isucon5-qualify/pull/5"}, {"name": "JVN#04281281", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN04281281/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2015-5673", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a \"gcloud compute\" command."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "JVNDB-2015-000175", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175"}, {"name": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa", "refsource": "CONFIRM", "url": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa"}, {"name": "https://github.com/isucon/isucon5-qualify/pull/5", "refsource": "CONFIRM", "url": "https://github.com/isucon/isucon5-qualify/pull/5"}, {"name": "JVN#04281281", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN04281281/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:59:04.130Z"}, "title": "CVE Program Container", "references": [{"name": "JVNDB-2015-000175", "tags": ["third-party-advisory", "x_refsource_JVNDB", "x_transferred"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/isucon/isucon5-qualify/pull/5"}, {"name": "JVN#04281281", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN04281281/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2015-5673", "datePublished": "2015-11-04T02:00:00", "dateReserved": "2015-07-24T00:00:00", "dateUpdated": "2024-08-06T06:59:04.130Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isucon:isucon_5_qualifier_eventapp:-:*:*:*:*:*:*:*", "matchCriteriaId": "20A1D4DD-5BC5-4EF2-B1C3-60E9C94487F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) web application before 2015-10-30 makes improper popen calls, which allows remote attackers to execute arbitrary commands via an HTTP request that includes shell metacharacters in an argument to a \"gcloud compute\" command."}, {"lang": "es", "value": "eventapp/lib/gcloud.rb en el portal calificador ISUCON5 (tambi\u00e9n conocido como eventapp) aplicaci\u00f3n web en versiones anteriores a 2015-10-30 realiza llamadas popen indebidas, lo que permite a atacantes remotos ejecutar comandos arbitrarios a trav\u00e9s de una petici\u00f3n HTTP que incluye metacaracteres de shell en un argumento a un comando 'gcloud compute'."}], "id": "CVE-2015-5673", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-04T03:59:05.747", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN04281281/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/isucon/isucon5-qualify/pull/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN04281281/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000175"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/isucon/isucon5-qualify/pull/5"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}