CVE-2014-4650

CRITICAL

Python <3.3.4 - Path Traversal

Title source: llm

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Exploits (1)

exploitdb WRITEUP VERIFIED

by RedTeam Pentesting · textwebappsmultiple

https://www.exploit-db.com/exploits/33894

View Code ZIP pw:eip

References (3)

[Exploit, Patch, Vendor Advisory] http://bugs.python.org/issue21766

[Mailing List, Third Party Advisory] http://openwall.com/lists/oss-security/2014/06/26/3

[Third Party Advisory] https://access.redhat.com/security/cve/cve-2014-4650

Scores

CVSS v3 9.8

EPSS 0.0723

EPSS Percentile 91.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (5)

python/python 2.7.0 - 2.7.8

redhat/enterprise_linux 5.0

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

redhat/software_collections

Published Feb 20, 2020

Tracked Since Feb 18, 2026