Main Vulnerability Database SB2014052705

SB2014052705 - Security restrictions bypass in mod_wsgi

Published: May 27, 2014 Updated: August 9, 2022

Security Bulletin ID SB2014052705

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0240)

The vulnerability allows a local user to escalate privileges on the system.

The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.

Remediation

Install update from vendor's website.

References

http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.5.html
http://rhn.redhat.com/errata/RHSA-2014-0789.html
http://www.openwall.com/lists/oss-security/2014/05/21/1