CVE-2014-4650

CRITICAL
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

References

http://bugs.python.org/issue21766

http://openwall.com/lists/oss-security/2014/06/26/3

https://access.redhat.com/security/cve/cve-2014-4650

Details

Source: MITRE

Published: 2020-02-20

Updated: 2020-02-26

Type: CWE-22

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
93069openSUSE Security Update : python3 (openSUSE-2016-997) (httpoxy)NessusSuSE Local Security Checks
critical
87570Scientific Linux Security Update : python on SL7.x x86_64 (20151119)NessusScientific Linux Local Security Checks
critical
87347Amazon Linux AMI : python26 (ALAS-2015-621)NessusAmazon Linux Local Security Checks
critical
87129CentOS 7 : python (CESA-2015:2101)NessusCentOS Local Security Checks
critical
87020Oracle Linux 7 : python (ELSA-2015-2101)NessusOracle Linux Local Security Checks
critical
86968RHEL 7 : python (RHSA-2015:2101)NessusRed Hat Local Security Checks
critical
85250SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2015:1344-1)NessusSuSE Local Security Checks
critical
85206Scientific Linux Security Update : python on SL6.x i386/x86_64 (20150722)NessusScientific Linux Local Security Checks
critical
85099Oracle Linux 6 : python (ELSA-2015-1330)NessusOracle Linux Local Security Checks
critical
85012CentOS 6 : python (CESA-2015:1330)NessusCentOS Local Security Checks
high
84938RHEL 6 : python (RHSA-2015:1330)NessusRed Hat Local Security Checks
critical
84428Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : python2.7, python3.2, python3.4 vulnerabilities (USN-2653-1)NessusUbuntu Local Security Checks
critical
82329Mandriva Linux Security Advisory : python3 (MDVSA-2015:076)NessusMandriva Local Security Checks
high
82328Mandriva Linux Security Advisory : python (MDVSA-2015:075)NessusMandriva Local Security Checks
high
79392Fedora 19 : python-2.7.5-15.fc19 (2014-14266)NessusFedora Local Security Checks
medium
79075Fedora 20 : python-2.7.5-15.fc20 (2014-14227)NessusFedora Local Security Checks
medium
78873Amazon Linux AMI : python27 (ALAS-2014-440)NessusAmazon Linux Local Security Checks
critical
77431openSUSE Security Update : python3 (openSUSE-SU-2014:1070-1)NessusSuSE Local Security Checks
critical
77295openSUSE Security Update : python3 (openSUSE-SU-2014:1042-1)NessusSuSE Local Security Checks
critical
77294openSUSE Security Update : python (openSUSE-SU-2014:1041-1)NessusSuSE Local Security Checks
critical
77293openSUSE Security Update : python (openSUSE-SU-2014:1046-1)NessusSuSE Local Security Checks
critical
77180SuSE 11.3 Security Update : Python (SAT Patch Number 9581)NessusSuSE Local Security Checks
high