Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2014-4650 — Path Traversal in Python
Severity
9.8CRITICALNVD
OSV7.5
EPSS
7.2%
top 8.36%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedFeb 20
Latest updateMay 17
Description
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Also affects: Enterprise Linux 5.0, 6.0, 7.0
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
1📋Vendor Advisories
3💬Community
4Bugzilla▶
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs↗2014-06-26
Bugzilla▶
CVE-2014-4650 python3: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]↗2014-06-26
Bugzilla▶
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]↗2014-06-26
Bugzilla▶
CVE-2014-4650 python26: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [epel-5]↗2014-06-26