CVE-2021-32090: 
Python vulnerability analysis and mitigation

The dashboard component of StackLift LocalStack 0.12.6 contains a critical command injection vulnerability (CVE-2021-32090) that allows attackers to inject arbitrary shell commands via the functionName parameter. The vulnerability was discovered in March 2021 and disclosed to the vendor in October 2020 (Sonar Blog, PortSwigger). LocalStack is a popular open source Python application that provides a test framework for cloud applications, enabling developers to host AWS cloud setups in local networks.

The vulnerability exists in the LocalStack dashboard's lambda code functionality. When processing requests to '/lambda//code', the application passes unsanitized user input from the functionName parameter directly into a system command via string concatenation. The command is then executed using subprocess.check_output() with shell=True, allowing command injection. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

An attacker can exploit this vulnerability to execute arbitrary system commands on the host running LocalStack. When combined with other vulnerabilities like SSRF and XSS, it enables complete compromise of the local instance and the ability to execute arbitrary system commands on the developer's machine (Sonar Blog).

The vendor was notified of the vulnerability in October 2020 but chose not to patch it, considering the risk limited due to LocalStack being executed on local machines. No official fixes or workarounds have been provided (Sonar Blog).

Security researchers from Sonarsource, who discovered the vulnerability, emphasized that while real-world attacks against local instances are less likely than against directly exposed applications, developers should be aware of these risks to protect their setups. The vendor's decision not to patch the vulnerability due to limited attack scenarios has been met with concern from security experts (PortSwigger).