Main Vulnerability Database Vulnerabilities #VU110146

#VU110146 Path traversal in Python - CVE-2014-4650

Published: June 27, 2022 / Updated: June 3, 2025

Vulnerability identifier: #VU110146

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2014-4650

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Python

Software vendor:
Python.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Remediation

Install update from vendor's website.

External links

http://bugs.python.org/issue21766
http://openwall.com/lists/oss-security/2014/06/26/3
https://access.redhat.com/security/cve/cve-2014-4650

#VU110146 Path traversal in Python - CVE-2014-4650

Description

Remediation

External links

Please verify you're human