Name | CVE-2014-4650 |
Description | The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | ELA-164-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
python2.7 (PTS) | jessie, jessie (lts) | 2.7.9-2-ds1-1+deb8u12 | fixed |
| stretch (security) | 2.7.13-2+deb9u6 | fixed |
| stretch (lts), stretch | 2.7.13-2+deb9u9 | fixed |
| buster (security), buster, buster (lts) | 2.7.16-2+deb10u4 | fixed |
| bullseye | 2.7.18-8+deb11u1 | fixed |
python3.4 (PTS) | jessie, jessie (lts) | 3.4.2-1+deb8u18 | fixed |
The information below is based on the following data on fixed versions.
Notes
[squeeze] - python2.6 <no-dsa> (Minor issue)
[wheezy] - python2.6 <no-dsa> (Minor issue)
[wheezy] - python2.7 <no-dsa> (Minor issue)
[squeeze] - python3.1 <no-dsa> (Minor issue)
[wheezy] - python3.2 <no-dsa> (Minor issue)
http://bugs.python.org/issue21766
[wheezy] - python2.6 <not-affected> (Vulnerable code not present)