Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2014-0240

Public on 2014-05-27
Modified on 2014-09-19
Description

It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system.

Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation.

Severity
Important
See what this means
CVSS v3 Base Score
6.9
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 mod24_wsgi 2014-07-09 23:02 ALAS-2014-375
Amazon Linux 1 mod_wsgi 2014-07-09 23:07 ALAS-2014-376

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
NVD CVSSv2 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C