← Back

CVE-2014-4650

nvd nist
Published: Feb 20, 2020Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Affected (8)

Python
1 product
Python
Redhat
2 products
Enterprise Linux
Software Collections
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Python
Python
From 2.7.0 to 2.7.8
Python
From 3.2.0 to 3.2.6
Python
From 3.3.0 to 3.3.6
Python
From 3.4.0 to 3.4.2
Configuration B
4 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Enterprise Linux
Version 5.0
Enterprise Linux
Version 6.0
Enterprise Linux
Version 7.0
Software Collections
All versions

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

Source: cve@mitre.org
ExploitPatchVendor Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.