Shell Injection in backup strategies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Travis McPeak |
Bug Description
Trove uses subprocess.Popen with shell=True in trove/trove/
def run(self):
self.pid = self.process.pid
This could be used, maliciously or not, to inject arbitrary commands into a command line string. An example of this could be triggered is in trove/trove/
For more information on subprocess, shell=True and command injection see: https:/
Changed in ossn: | |
importance: | Undecided → High |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
Changed in ossn: | |
status: | New → In Progress |
Changed in ossn: | |
status: | In Progress → Fix Released |
Changed in trove: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in trove: | |
assignee: | Amrith Kumar (amrith) → nobody |
Thanks for your bug report. I agree. The process does not need to be created like this (with shell=True). It would probably be better to use the standard oslo wrappers for things like this. In relation to the example attack vector the mysql password would need to be set by an administrator IIUC so hopefully the severity of this is reasonably low.