Gentoo FoundationGLSA-201412-21mod_wsgi: Privilege escalation
6.2 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.071 Low
EPSS
Percentile
94.0%
Background
mod_wsgi is an Apache2 module for running Python WSGI applications.
Description
Two vulnerabilities have been found in mod_wsgi:
- Error codes returned by setuid are not properly handled (CVE-2014-0240)
- A memory leak exists via the “Content-Type” header (CVE-2014-0242)
Impact
A local attacker may be able to gain escalated privileges. Furthermore, a remote attacker may be able to obtain sensitive information.
Workaround
There is no known workaround at this time.
Resolution
All mod_wsgi users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-3.5"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | www-apache/mod_wsgi | < 3.5 | UNKNOWN |
Related
6.2 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.071 Low
EPSS
Percentile
94.0%