Apache OpenWhisk is prone to a remote code-execution vulnerability.
An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.
Versions prior to Apache OpenWhisk 1.3.1 are vulnerable.
Information
Exploit
The researcher has created a functional exploit to demonstrate the issue. Please see the references for more information.
References:
- Do not allow re-init of the action exec. (Apache)
- #0b6d8a677f1c063ed32eb3638ef4d1a47dfba89 (Apache)
- Apache Homepage (Apache)
- ibm10718977: IBM Cloud Functions is affected by two function runtimevulnerabilit (IBM)
- PureSec Security Advisory (puresec.io)