It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation.
Find out more about CVE-2014-0240 from the MITRE CVE dictionary dictionary and NIST NVD.
Base Score | 6.9 |
---|---|
Base Metrics | AV:L/AC:M/Au:N/C:C/I:C/A:C |
Access Vector | Local |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Complete |
Integrity Impact | Complete |
Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (mod_wsgi) | RHSA-2014:1091 | 2014-08-25 |
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 | RHSA-2014:0789 | 2014-06-25 |
Red Hat Enterprise Linux 6 (mod_wsgi) | RHSA-2014:0788 | 2014-06-25 |
Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 | RHSA-2014:0789 | 2014-06-25 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | mod_wsgi | Will not fix |
Red Hat Satellite Proxy 5.6 | mod_wsgi | Not affected |
Red Hat Satellite 6 | mod_wsgi | Not affected |
Red Hat Satellite 5.6 | mod_wsgi | Will not fix |
Red Hat OpenShift Enterprise 2 | python27-mod_wsgi | Affected |