6.2 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.071 Low
EPSS
Percentile
94.0%
CentOS Errata and Security Advisory CESA-2014:0788
The mod_wsgi adapter is an Apache module that provides a WSGI-compliant
interface for hosting Python-based web applications within Apache.
It was found that mod_wsgi did not properly drop privileges if the call to
setuid() failed. If mod_wsgi was set up to allow unprivileged users to run
WSGI applications, a local user able to run a WSGI application could
possibly use this flaw to escalate their privileges on the system.
(CVE-2014-0240)
Note: mod_wsgi is not intended to provide privilege separation for WSGI
applications. Systems relying on mod_wsgi to limit or sandbox the
privileges of mod_wsgi applications should migrate to a different solution
with proper privilege separation.
It was discovered that mod_wsgi could leak memory of a hosted web
application via the βContent-Typeβ header. A remote attacker could possibly
use this flaw to disclose limited portions of the web applicationβs memory.
(CVE-2014-0242)
Red Hat would like to thank Graham Dumpleton for reporting these issues.
Upstream acknowledges RΓ³bert Kisteleki as the original reporter of
CVE-2014-0240, and Buck Golemon as the original reporter of CVE-2014-0242.
All mod_wsgi users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-June/082551.html
Affected packages:
mod_wsgi
Upstream details at:
https://access.redhat.com/errata/RHSA-2014:0788
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | i686 | mod_wsgi | <Β 3.2-6.el6_5 | mod_wsgi-3.2-6.el6_5.i686.rpm |
CentOS | 6 | x86_64 | mod_wsgi | <Β 3.2-6.el6_5 | mod_wsgi-3.2-6.el6_5.x86_64.rpm |
6.2 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.071 Low
EPSS
Percentile
94.0%