CVE-2014-0240 — Privilege Dropping / Lowering Errors in Mod-wsgi

CWE-264 CWE-271 — Privilege Dropping / Lowering Errors11 documents7 sources

Severity

6.2MEDIUMNVD

EPSS

0.2%

top 54.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Mod-wsgi Modwsgi MOD Wsgi

Timeline

PublishedMay 27

Latest updateMay 17

Description

The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.

CVSS vector

AV:L/AC:H/C:C/I:C/A:CExploitability: 1.9 | Impact: 10.0

Affected Packages2 packages

▶debiandebian/mod-wsgi< mod-wsgi 3.5-1 (bookworm)

▶NVDmodwsgi/mod_wsgi3.4+20

🔴Vulnerability Details

GHSA

GHSA-p3r2-mvh7-9pcc: The mod_wsgi module before 3↗2022-05-17

▶

OSV

CVE-2014-0240: The mod_wsgi module before 3↗2014-05-27

▶

OSV

mod-wsgi vulnerabilities↗2014-05-26

▶

📋Vendor Advisories

Ubuntu

mod_wsgi vulnerabilities↗2014-05-26

▶

Red Hat

mod_wsgi: possible privilege escalation in setuid() failure scenarios↗2014-05-21

▶

Debian

CVE-2014-0240: mod-wsgi - The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not...↗2014

▶

💬Community

Bugzilla

CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios [epel-5]↗2014-05-28

▶

Bugzilla

CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios↗2014-05-28

▶

Bugzilla

CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios [fedora-all]↗2014-05-28

▶

Bugzilla

CVE-2014-0240 python26-mod_wsgi: mod_wsgi: possible privilege escalation in setuid() failure scenarios [epel-5]↗2014-05-28

▶