CVE-2018-7490

NameCVE-2018-7490
DescriptionuWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4142-1
Debian Bugs891639

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
uwsgi (PTS)jessie, jessie (lts)2.0.7-1+deb8u5fixed
stretch (security)2.0.14+20161117-3+deb9u5fixed
stretch (lts), stretch2.0.14+20161117-3+deb9u7fixed
buster2.0.18-1fixed
bullseye2.0.19.1-7.1fixed
bookworm2.0.21-5.1fixed
sid, trixie2.0.28-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
uwsgisourcewheezy(not affected)
uwsgisourcejessie2.0.7-1+deb8u2DSA-4142-1
uwsgisourcestretch2.0.14+20161117-3+deb9u2DSA-4142-1
uwsgisource(unstable)2.0.15-10.4891639

Notes

[wheezy] - uwsgi <not-affected> (plugin package introduced in jessie)
Fixed in 2.0.17 upstream
https://github.com/unbit/uwsgi/commit/0a480f435ea6feb63deb410ad2bf376ed3f05f8a
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
Search for package or bug name: Reporting problems