Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Remediation

References

CVE-2014-4650

Related Vulnerabilities

WordPress Plugin BulletProof Security Information Disclosure (5.1)

phpMyAdmin Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2009-1148)

WordPress Plugin WP Domain Redirect SQL Injection (1.0)

SharePoint Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-0920)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1902)

Severity

Critical

Classification

CVE-2014-4650 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities