Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
CVE-2019-8341 - Uber RCE Incident
In March 2016, security researcher Orange Tsai identified a critical Remote Code Execution (RCE) vulnerability on Uber’s platform, specifically within rider.uber.com. The flaw stemmed from a Server-Side Template Injection (SSTI) in the Flask web framework utilizing the Jinja2 template engine. By modifying the profile name, the input was being processed by the template engine without proper sanitization. This oversight allowed attackers to inject and execute arbitrary code on the server, posing significant security risks. Uber promptly addressed the issue upon disclosure, awarding a $10,000 bounty for the report.
A relevant CVE is CVE-2019-8341
Based on this incident, we made the Ubor challenge to recreate the RCE Vulnerability:
It is available in all popular formats as well:
