Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2014-0242

Published: 09/12/2019 Updated: 17/12/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 435
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Mod Wsgi

Vulnerability Summary

mod_wsgi module prior to 3.4 for Apache, when used in embedded mode, might allow remote malicious users to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

modwsgi mod wsgi

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode
Debian Bug report logs - #748910 CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode Package: libapache2-mod-wsgi; Maintainer for libapache2-mod-wsgi is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Source for libapache2-mod-wsgi is src:mod-wsgi (PTS, buildd, popcon) R ...
Ubuntu Security Notice: mod-wsgi vulnerabilities
mod_wsgi could be made to run programs as an administrator if it executes a specially crafted file ...
Debian Security Advisories: DSA-2937-1 mod-wsgi -- security update
Two security issues have been found in the Python WSGI adapter module for Apache: CVE-2014-0240 Robert Kisteleki discovered a potential privilege escalation in daemon mode This is not exploitable with the kernel used in Debian 70/wheezy CVE-2014-0242 Buck Golemon discovered that incorrect memory handling could lead to inform ...
Amazon Linux AMI: ALAS-2014-376
It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system Note: mod_wsgi is not intended to provide privilege separation f ...
Amazon Linux AMI: ALAS-2014-375
It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system Note: mod_wsgi is not intended to provide privilege separation f ...

Exploits

Exploit DB: Apache mod_wsgi - Information Disclosure
source: wwwsecurityfocuscom/bid/67534/info mod_wsgi is prone to a remote information-disclosure vulnerability Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks import functools import threading import time import random def run(*args): while True: items = [] ...

References

CWE-200http://www.openwall.com/lists/oss-security/2014/05/21/1http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.4.htmlhttp://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.htmlhttp://www.securityfocus.com/bid/67534https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748910https://usn.ubuntu.com/2222-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/39196/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook