PT-2014-1704 · Python+5 · Python+5

Published

2014-06-25

·

Updated

2025-11-07

·

CVE-2014-4650

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Python versions 2.7.5 and 3.3.4
Description The issue arises from the CGIHTTPServer module's improper handling of URL-encoded path separators in URLs. This allows remote attackers to read script source code, conduct directory traversal attacks, or execute unintended code via a crafted character sequence, such as a %2f separator. Attackers may exploit this to disclose a CGI script's source code or execute arbitrary CGI scripts in the server's document root.
Recommendations For Python version 2.7.5, update to a version that properly handles URL-encoded path separators. For Python version 3.3.4, update to a version that properly handles URL-encoded path separators. As a temporary workaround, consider restricting access to the CGIHTTPServer module until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2014-2376
ALT-PU-2016-1294
BDU:2015-00666
CESA-2015_1330
CESA-2015_2101
CVE-2014-4650
MGASA-2014-0285
OPENSUSE-SU-2020:0086-1
OPENSUSE-SU-2020_0086-1
OPENSUSE-SU-2024:10100-1
OPENSUSE-SU-2024:10426-1
OPENSUSE-SU-2024:10536-1
OPENSUSE-SU-2024:11202-1
OPENSUSE-SU-2024:11283-1
OPENSUSE-SU-2024:11284-1
OPENSUSE-SU-2024:11285-1
OPENSUSE-SU-2024:11286-1
OPENSUSE-SU-2024:12089-1
OPENSUSE-SU-2024:12910-1
OPENSUSE-SU-2024:14109-1
OPENSUSE-SU-2024:14434-1
OPENSUSE-SU-2025:15713-1
RHSA-2015:1064
RHSA-2015:1330
RHSA-2015:2101
RHSA-2015_1330
RHSA-2015_2101
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2014_0998-1
SUSE-SU-2014_1005-1
SUSE-SU-2014_1009-1
SUSE-SU-2014_1011-1
SUSE-SU-2015:1344-1
SUSE-SU-2020:0114-1
SUSE-SU-2020:0234-1
USN-2653-1

Affected Products

Alt Linux
Centos
Python
Red Hat
Suse
Ubuntu