← Retour aux CVEs

CVE-2014-4650

CRITICAL

9.8

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie2/20/2020

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

python:pythonredhat:enterprise_linuxredhat:software_collections

Faiblesses (CWE)

CWE-22

References

http://bugs.python.org/issue21766(cve@mitre.org)

http://openwall.com/lists/oss-security/2014/06/26/3(cve@mitre.org)

https://access.redhat.com/security/cve/cve-2014-4650(cve@mitre.org)

http://bugs.python.org/issue21766(af854a3a-2127-422b-91ae-364da2661108)

http://openwall.com/lists/oss-security/2014/06/26/3(af854a3a-2127-422b-91ae-364da2661108)

https://access.redhat.com/security/cve/cve-2014-4650(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.