Vulnerabilities > CVE-2014-0242 - Information Exposure vulnerability in Modwsgi MOD Wsgi
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Exploit-Db
description | Apache 'mod_wsgi' Module Information Disclosure Vulnerability. CVE-2014-0242. Remote exploit for linux platform |
id | EDB-ID:39196 |
last seen | 2016-02-04 |
modified | 2014-05-21 |
published | 2014-05-21 |
reporter | Buck Golemon |
source | https://www.exploit-db.com/download/39196/ |
title | Apache 'mod_wsgi' Module Information Disclosure Vulnerability |
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20140625_MOD_WSGI_ON_SL6_X.NASL description It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the last seen 2020-03-18 modified 2014-06-26 plugin id 76246 published 2014-06-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76246 title Scientific Linux Security Update : mod_wsgi on SL6.x i386/srpm/x86_64 (20140625) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(76246); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2014-0240", "CVE-2014-0242"); script_name(english:"Scientific Linux Security Update : mod_wsgi on SL6.x i386/srpm/x86_64 (20140625)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the 'Content-Type' header. A remote attacker could possibly use this flaw to disclose limited portions of the web application's memory. (CVE-2014-0242)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1406&L=scientific-linux-errata&T=0&P=2620 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f86eee0a" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_wsgi and / or mod_wsgi-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:mod_wsgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:mod_wsgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/27"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"mod_wsgi-3.2-6.el6_5")) flag++; if (rpm_check(release:"SL6", reference:"mod_wsgi-debuginfo-3.2-6.el6_5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_wsgi / mod_wsgi-debuginfo"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2014-6944.NASL description http://modwsgi.readthedocs.org/en/develop/release-notes/version-3.5.ht ml Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-06-18 plugin id 76096 published 2014-06-18 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76096 title Fedora 20 : mod_wsgi-3.5-1.fc20 (2014-6944) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2014-6944. # include("compat.inc"); if (description) { script_id(76096); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-0240", "CVE-2014-0242"); script_bugtraq_id(67532, 67932); script_xref(name:"FEDORA", value:"2014-6944"); script_name(english:"Fedora 20 : mod_wsgi-3.5-1.fc20 (2014-6944)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "http://modwsgi.readthedocs.org/en/develop/release-notes/version-3.5.ht ml Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://modwsgi.readthedocs.org/en/develop/release-notes/version-3.5.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6e385372" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1101863" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1101873" ); # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134424.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?71a7141c" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_wsgi package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_wsgi"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"mod_wsgi-3.5-1.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_wsgi"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0788.NASL description An updated mod_wsgi package that fixes two security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the last seen 2020-06-01 modified 2020-06-02 plugin id 76243 published 2014-06-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76243 title RHEL 6 : mod_wsgi (RHSA-2014:0788) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2937.NASL description Two security issues have been found in the Python WSGI adapter module for Apache : - CVE-2014-0240 Robert Kisteleki discovered a potential privilege escalation in daemon mode. This is not exploitable with the kernel used in Debian 7.0/wheezy. - CVE-2014-0242 Buck Golemon discovered that incorrect memory handling could lead to information disclosure when processing Content-Type headers. last seen 2020-03-17 modified 2014-05-28 plugin id 74197 published 2014-05-28 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74197 title Debian DSA-2937-1 : mod-wsgi - security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2222-1.NASL description Robert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode. (CVE-2014-0240) Buck Golemon discovered that mod_wsgi used memory that had been freed. A remote attacker could use this issue to read process memory via the Content-Type response header. This issue only affected Ubuntu 12.04 LTS. (CVE-2014-0242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 74185 published 2014-05-27 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74185 title Ubuntu 12.04 LTS / 13.10 / 14.04 LTS : mod-wsgi vulnerabilities (USN-2222-1) NASL family Fedora Local Security Checks NASL id FEDORA_2014-6938.NASL description http://modwsgi.readthedocs.org/en/develop/release-notes/version-3.5.ht ml Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-06-18 plugin id 76095 published 2014-06-18 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76095 title Fedora 19 : mod_wsgi-3.5-1.fc19 (2014-6938) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0788.NASL description An updated mod_wsgi package that fixes two security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the last seen 2020-06-01 modified 2020-06-02 plugin id 76217 published 2014-06-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76217 title CentOS 6 : mod_wsgi (CESA-2014:0788) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-21.NASL description The remote host is affected by the vulnerability described in GLSA-201412-21 (mod_wsgi: Privilege escalation) Two vulnerabilities have been found in mod_wsgi: Error codes returned by setuid are not properly handled (CVE-2014-0240) A memory leak exists via the “Content-Type” header (CVE-2014-0242) Impact : A local attacker may be able to gain escalated privileges. Furthermore, a remote attacker may be able to obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79974 published 2014-12-15 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79974 title GLSA-201412-21 : mod_wsgi: Privilege escalation NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-376.NASL description It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. mod_wsgi allows you to host Python applications on the Apache HTTP Server. It was found that a remote attacker could leak portions of a mod_wsgi application last seen 2020-06-01 modified 2020-06-02 plugin id 78319 published 2014-10-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78319 title Amazon Linux AMI : mod_wsgi (ALAS-2014-376) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0788.NASL description From Red Hat Security Advisory 2014:0788 : An updated mod_wsgi package that fixes two security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the last seen 2020-06-01 modified 2020-06-02 plugin id 76231 published 2014-06-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76231 title Oracle Linux 6 : mod_wsgi (ELSA-2014-0788) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-137.NASL description Multiple vulnerabilities has been discovered and corrected in apache-mod_wsgi : It was found that mod_wsgi did not properly drop privileges if the call to setuid\(\) failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system (CVE-2014-0240). It was discovered that mod_wsgi could leak memory of a hosted web application via the Content-Type header. A remote attacker could possibly use this flaw to disclose limited portions of the web application last seen 2020-06-01 modified 2020-06-02 plugin id 76481 published 2014-07-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76481 title Mandriva Linux Security Advisory : apache-mod_wsgi (MDVSA-2014:137) NASL family CGI abuses NASL id MOD_WSGI_3_4.NASL description According to the web server banner, the version of mod_wsgi running on the remote host is prior to version 3.4. It is, therefore, affected by a remote information disclosure vulnerability. The issue is due to the handling of corrupted last seen 2020-06-01 modified 2020-06-02 plugin id 76496 published 2014-07-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76496 title Apache mod_wsgi < 3.4 Remote Information Disclosure NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-375.NASL description It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. mod_wsgi allows you to host Python applications on the Apache HTTP Server. It was found that a remote attacker could leak portions of a mod_wsgi application last seen 2020-06-01 modified 2020-06-02 plugin id 78318 published 2014-10-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78318 title Amazon Linux AMI : mod24_wsgi (ALAS-2014-375) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-421.NASL description apache2-mod_wsgi was updated to fix two security issues. These security issues were fixed : - Information exposure (CVE-2014-0242) - Local privilege escalation (CVE-2014-0240) last seen 2020-06-05 modified 2014-06-16 plugin id 76069 published 2014-06-16 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76069 title openSUSE Security Update : apache2-mod_wsgi (openSUSE-SU-2014:0782-1)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
- http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
- http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.4.html
- http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.4.html
- http://www.openwall.com/lists/oss-security/2014/05/21/1
- http://www.openwall.com/lists/oss-security/2014/05/21/1
- http://www.securityfocus.com/bid/67534
- http://www.securityfocus.com/bid/67534