CVE-2014-4650

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

How to fix CVE-2014-4650

To remediate CVE-2014-4650, upgrade the affected package to a fixed version below.

Debian/python2.7—upgrade to 2.7.8-1 or later

Is CVE-2014-4650 being exploited?

Moderate — EPSS is 7.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.7.8-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-4650