Your submission was sent successfully! Close

CVE-2014-4650

Published: 25 June 2014

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (2.7.3-0ubuntu3.8)
saucy Ignored
(reached end-of-life)
trusty
Released (2.7.6-8ubuntu0.2)
upstream Needed

utopic Not vulnerable
(2.7.8-10ubuntu1)
vivid Not vulnerable
(2.7.9-2ubuntu3)
Patches:
upstream: http://hg.python.org/cpython/rev/b4bab0788768


python3.2
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (3.2.3-0ubuntu3.7)
saucy Does not exist

trusty Does not exist

upstream Needed

utopic Does not exist

vivid Does not exist

Patches:

upstream: http://hg.python.org/cpython/rev/5676797f3a3e (3.3)

python3.4
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

saucy Does not exist

trusty
Released (3.4.0-2ubuntu1.1)
upstream Needed

utopic Not vulnerable
(3.4.1-6)
vivid Not vulnerable
(3.4.1-6)
Patches:


upstream: http://hg.python.org/cpython/rev/847e288d6e93