It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation.
Find out more about CVE-2014-0240 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 6.9 |
|---|---|
| Base Metrics | AV:L/AC:M/Au:N/C:C/I:C/A:C |
| Access Vector | Local |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | Complete |
| Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (mod_wsgi) | RHSA-2014:1091 | 2014-08-25 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 | RHSA-2014:0789 | 2014-06-25 |
| Red Hat Enterprise Linux 6 (mod_wsgi) | RHSA-2014:0788 | 2014-06-25 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 | RHSA-2014:0789 | 2014-06-25 |
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | mod_wsgi | Will not fix |
| Red Hat Satellite Proxy 5.6 | mod_wsgi | Not affected |
| Red Hat Satellite 6 | mod_wsgi | Not affected |
| Red Hat Satellite 5.6 | mod_wsgi | Will not fix |
| Red Hat OpenShift Enterprise 2 | python27-mod_wsgi | Affected |
Vulmon