cbcvebase.
CVE-2014-4650
published 2020-02-20

CVE-2014-4650: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.15%
97.6th percentile
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianpython2.7< python2.7 2.7.8-1 (bullseye)python2.7 2.7.8-1 (bullseye)
pythonpython>= 2.7.0 < 2.7.82.7.8
pythonpython>= 3.2.0 < 3.2.63.2.6
pythonpython>= 3.3.0 < 3.3.63.3.6
pythonpython>= 3.4.0 < 3.4.23.4.2
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:8000/cgi-bin%2ftest.py
urlhttp://localhost:8000/cgi-bin/..%2fexploit.py
urlhttp://localhost:8000/cgi-bin/subdir%2ftest.py
urlhttp://localhost:8000/cgi-bin/..%2ftraversed.py
other%2f (URL-encoded path separator used in traversal)
  • Detect HTTP GET/HEAD/POST requests to a CGIHTTPServer where the URL contains a percent-encoded forward slash (%2f or %2F) within or after a known CGI directory path segment (e.g., /cgi-bin%2f or /cgi-bin/..%2f). This bypasses is_cgi() checks and triggers file disclosure or unintended script execution.
  • Alert on HTTP requests containing the pattern `cgi-bin%2f` or `cgi-bin/..%2f` in the request URI, which are the canonical attack patterns for CVE-2014-4650 source disclosure and directory traversal respectively.
  • Monitor for HTTP 200 responses to requests with URL-encoded slashes (%2f/%2F) in paths served by Python's CGIHTTPServer, particularly where the response body contains script source code (e.g., shebang lines like `#!/usr/bin/env python`).
  • The vulnerability is exploitable via HTTP GET, HEAD, and POST methods. Detection should cover all three HTTP methods containing %2f in the URI path targeting a Python CGIHTTPServer instance.
  • ·The vulnerability only affects servers built using Python's CGIHTTPServer (Python 2) / http.server CGIHTTPRequestHandler (Python 3) module. It does not affect other Python web frameworks or servers. Exploitation is limited to files within the server's working directory or its subdirectories.
  • ·The module itself contains an upstream security warning that it should only be used inside a firewall. Even local use may allow other local users to execute code in the context of another user.
  • ·Affected Python versions span multiple branches: 2.7–2.7.7, 3.2–3.2.4, 3.3–3.3.2, 3.4–3.4.1, and 3.5 pre-release. Detection rules should account for all these versions still in use.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.