CVE-2014-4650 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Affected Products (NVD)

Vendor	Product	Version
python	python	2.7.0 ≤ 𝑥 < 2.7.8
python	python	3.2.0 ≤ 𝑥 < 3.2.6
python	python	3.3.0 ≤ 𝑥 < 3.3.6
python	python	3.4.0 ≤ 𝑥 < 3.4.2
redhat	software_collections	-
redhat	enterprise_linux	5.0
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python2.7

bullseye	2.7.18-8+deb11u1 fixed
squeeze	no-dsa
wheezy	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

python2.7

lucid	dne
precise	Fixed 2.7.3-0ubuntu3.8 released
saucy	ignored
trusty	Fixed 2.7.6-8ubuntu0.2 released
utopic	not-affected
vivid	not-affected

python3.2

lucid	dne
precise	Fixed 3.2.3-0ubuntu3.7 released
saucy	dne
trusty	dne
utopic	dne
vivid	dne

python3.4

lucid	dne
precise	dne
saucy	dne
trusty	Fixed 3.4.0-2ubuntu1.1 released
utopic	not-affected
vivid	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://bugs.python.org/issue21766

http://openwall.com/lists/oss-security/2014/06/26/3

https://access.redhat.com/security/cve/cve-2014-4650

http://bugs.python.org/issue21766

http://openwall.com/lists/oss-security/2014/06/26/3

https://access.redhat.com/security/cve/cve-2014-4650