CVE-2014-4650

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
References
Link Resource
http://bugs.python.org/issue21766 Exploit Patch Vendor Advisory
http://openwall.com/lists/oss-security/2014/06/26/3 Mailing List Third Party Advisory
https://access.redhat.com/security/cve/cve-2014-4650 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

History

27 Jun 2022, 16:20

Type Values Removed Values Added
CPE cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.7.5:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Information

Published : 2020-02-20 17:15

Updated : 2023-12-10 13:13


NVD link : CVE-2014-4650

Mitre link : CVE-2014-4650

CVE.ORG link : CVE-2014-4650


JSON object : View

Products Affected

redhat

  • enterprise_linux
  • software_collections

python

  • python
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')