Fluid Attacks Database

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python2.7	>=0 <2.7.8-1	2.7.8-1
rpm rhel6	python	<0:2.6.6-64.el6	0:2.6.6-64.el6
rpm rhel5	python	-	-
rpm rhel7	python	<0:2.7.5-34.el7	0:2.7.5-34.el7

Aliases

1. CVE-2014-46502. NVD-2014-46503. OSV-DEBIAN-2014-46504. OSV-2014-46505. SECURITY-TRACKER-CVE-2014-4650

References

1. https://www.exploit-db.com/exploits/33894

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.