cbcvebase.
CVE-2018-7490
published 2018-02-26

CVE-2018-7490: uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.

PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
70.81%
99.3th percentile
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianuwsgi< uwsgi 2.0.15-10.4 (bookworm)uwsgi 2.0.15-10.4 (bookworm)
unbituwsgi< 2.0.172.0.17
unbituwsgi>= 0 < 2.0.15-10.42.0.15-10.4
unbituwsgi>= 0 < 2.0.15-10.42.0.15-10.4
unbituwsgi>= 0 < 2.0.15-10.42.0.15-10.4
unbituwsgi>= 0 < 2.0.15-10.42.0.15-10.4
unbituwsgi>= 0 < 2.0.172.0.17

Detection & IOCsextracted from sources · hover to see the quote

url/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
path..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
  • Look for URL-encoded path traversal sequences '..%2f' in HTTP request paths targeting uWSGI PHP plugin endpoints. The traversal pattern uses percent-encoded forward slashes to bypass DOCUMENT_ROOT checks.
  • Monitor uWSGI server logs for the security error message indicating a traversal attempt was made but the file contents may still have been returned to the attacker.
  • Match HTTP response body for /etc/passwd content (regex: root:.*:0:0:) on requests containing '..%2f' sequences to confirm successful exploitation.
  • Vulnerability is only exploitable when uWSGI is run with --php-docroot option and without --php-allowed-docroot. Audit uWSGI configurations for use of --php-docroot without --php-allowed-docroot on versions before 2.0.17.
  • ·The directory traversal is only exploitable when uWSGI is run as a standalone server (without a front-end web server) using the --php-docroot option. Using --php-allowed-docroot instead mitigates the vulnerability.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.