Main Vulnerability Database Vulnerabilities #VU41605

Permissions, Privileges, and Access Controls in mod_wsgi - CVE-2014-0240

Published: May 27, 2014 / Updated: August 9, 2022

Vulnerability identifier: #VU41605

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-0240

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Graham Dumpleton

Affected software:
mod_wsgi

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.

How to mitigate CVE-2014-0240

Install update from vendor's website.

Sources

http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.5.html
http://rhn.redhat.com/errata/RHSA-2014-0789.html
http://www.openwall.com/lists/oss-security/2014/05/21/1

Permissions, Privileges, and Access Controls in mod_wsgi - CVE-2014-0240

Detailed vulnerability description

How to mitigate CVE-2014-0240

Sources

Please verify you're human