Vulnerability Description
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | >= 2.7.0, < 2.7.8 |
| Redhat | Software Collections | - |
| Redhat | Enterprise Linux | 5.0 |
Related Weaknesses (CWE)
References
- http://bugs.python.org/issue21766ExploitPatchVendor Advisory
- http://openwall.com/lists/oss-security/2014/06/26/3Mailing ListThird Party Advisory
- https://access.redhat.com/security/cve/cve-2014-4650Third Party Advisory
- http://bugs.python.org/issue21766ExploitPatchVendor Advisory
- http://openwall.com/lists/oss-security/2014/06/26/3Mailing ListThird Party Advisory
- https://access.redhat.com/security/cve/cve-2014-4650Third Party Advisory
FAQ
What is CVE-2014-4650?
CVE-2014-4650 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct ...
How severe is CVE-2014-4650?
CVE-2014-4650 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-4650?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Redhat Software Collections, Redhat Enterprise Linux.