CVE-2014-4650
published 2020-02-20CVE-2014-4650: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.15%
97.6th percentile
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python2.7 | < python2.7 2.7.8-1 (bullseye) | python2.7 2.7.8-1 (bullseye) |
| python | python | >= 2.7.0 < 2.7.8 | 2.7.8 |
| python | python | >= 3.2.0 < 3.2.6 | 3.2.6 |
| python | python | >= 3.3.0 < 3.3.6 | 3.3.6 |
| python | python | >= 3.4.0 < 3.4.2 | 3.4.2 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET/HEAD/POST requests to a CGIHTTPServer where the URL contains a percent-encoded forward slash (%2f or %2F) within or after a known CGI directory path segment (e.g., /cgi-bin%2f or /cgi-bin/..%2f). This bypasses is_cgi() checks and triggers file disclosure or unintended script execution. ↗
- →Alert on HTTP requests containing the pattern `cgi-bin%2f` or `cgi-bin/..%2f` in the request URI, which are the canonical attack patterns for CVE-2014-4650 source disclosure and directory traversal respectively. ↗
- →Monitor for HTTP 200 responses to requests with URL-encoded slashes (%2f/%2F) in paths served by Python's CGIHTTPServer, particularly where the response body contains script source code (e.g., shebang lines like `#!/usr/bin/env python`). ↗
- →The vulnerability is exploitable via HTTP GET, HEAD, and POST methods. Detection should cover all three HTTP methods containing %2f in the URI path targeting a Python CGIHTTPServer instance. ↗
- ·The vulnerability only affects servers built using Python's CGIHTTPServer (Python 2) / http.server CGIHTTPRequestHandler (Python 3) module. It does not affect other Python web frameworks or servers. Exploitation is limited to files within the server's working directory or its subdirectories. ↗
- ·The module itself contains an upstream security warning that it should only be used inside a firewall. Even local use may allow other local users to execute code in the context of another user. ↗
- ·Affected Python versions span multiple branches: 2.7–2.7.7, 3.2–3.2.4, 3.3–3.3.2, 3.4–3.4.1, and 3.5 pre-release. Detection rules should account for all these versions still in use. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Python vulnerabilities
vendor_ubuntu·2015-06-25·CVSS 7.5
CVE-2013-1752 [HIGH] Python vulnerabilities
Title: Python vulnerabilities
Summary: Several security issues were fixed in Python.
It was discovered that multiple Python protocol libraries incorrectly
limited certain data when connecting to servers. A malicious ftp, http,
imap, nntp, pop or smtp server could use this issue to cause a denial of
service. (CVE-2013-1752)
It was discovered that the Python xmlrpc library did not limit unpacking
gzip-compressed HTTP bodies. A malicious server could use this issue to
cause a denial of service. (CVE-2013-1753)
It was discovered that the Python json module incorrectly handled a certain
argument. An attacker could possibly use this issue to read arbitrary
memory and expose sensitive information. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)
It was discover
Red Hat
python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
vendor_redhat·2014-06-23·CVSS 9.8
CVE-2014-4650 [CRITICAL] CWE-138 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose source of scripts in the cgi-bin directory.
Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5 and 7 as well as Red Hat Software Collections. A fu
Debian
CVE-2014-4650: python2.7 - The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs...
vendor_debian·2014·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650: python2.7 - The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs...
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
Scope: local
bullseye: resolved (fixed in 2.7.8-1)
GHSA
GHSA-33c8-ggqv-8g5p: The CGIHTTPServer module in Python 2
ghsa_unreviewed·2022-05-17
CVE-2014-4650 [CRITICAL] CWE-22 GHSA-33c8-ggqv-8g5p: The CGIHTTPServer module in Python 2
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
OSV
CVE-2014-4650: The CGIHTTPServer module in Python 2
osv·2020-02-20·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650: The CGIHTTPServer module in Python 2
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
OSV
python2.7, python3.2, python3.4 vulnerabilities
osv·2015-06-25·CVSS 7.5
CVE-2013-1752 [HIGH] python2.7, python3.2, python3.4 vulnerabilities
python2.7, python3.2, python3.4 vulnerabilities
It was discovered that multiple Python protocol libraries incorrectly
limited certain data when connecting to servers. A malicious ftp, http,
imap, nntp, pop or smtp server could use this issue to cause a denial of
service. (CVE-2013-1752)
It was discovered that the Python xmlrpc library did not limit unpacking
gzip-compressed HTTP bodies. A malicious server could use this issue to
cause a denial of service. (CVE-2013-1753)
It was discovered that the Python json module incorrectly handled a certain
argument. An attacker could possibly use this issue to read arbitrary
memory and expose sensitive information. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)
It was discovered that the Python CGIHTTPServer incor
No detection rules found.
Bugzilla
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
bugzilla·2014-06-26·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
It was discovered [1] that Python built-in module CGIHTTPServer does not properly handle URL-encoded path separators in URLs which may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root.
Complete technical description is available at [1]
[1]: http://bugs.python.org/issue21766
Upstream commits:
2.7: http://hg.python.org/cpython/rev/b4bab0788768
3.2: http://hg.python.org/cpython/rev/e47422855841
3.3: http://hg.python.org/cpython/rev/5676797f3a3e
3.4: http://hg.python.org/cpython/rev/847e288d6e93
Discussion:
Created python tracking bugs for this issue:
Affects: fedora-all [bug 1113528]
---
Created python26 tracking bugs
Bugzilla
CVE-2014-4650 python3: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
bugzilla·2014-06-26·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650 python3: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
CVE-2014-4650 python3: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field whe
Bugzilla
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
bugzilla·2014-06-26·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availab
Bugzilla
CVE-2014-4650 python26: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [epel-5]
bugzilla·2014-06-26·CVSS 9.8
CVE-2014-4650 [CRITICAL] CVE-2014-4650 python26: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [epel-5]
CVE-2014-4650 python26: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field w
2020-02-20
Published