Vulnerabilities > CVE-2014-4616 - Improper Validation of Array Index vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE

Summary

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

Vulnerable Configurations

Part Description Count
Application
Python
113
Application
Simplejson_Project
44
OS
Opensuse_Project
1
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2653-1.NASL
    descriptionIt was discovered that multiple Python protocol libraries incorrectly limited certain data when connecting to servers. A malicious ftp, http, imap, nntp, pop or smtp server could use this issue to cause a denial of service. (CVE-2013-1752) It was discovered that the Python xmlrpc library did not limit unpacking gzip-compressed HTTP bodies. A malicious server could use this issue to cause a denial of service. (CVE-2013-1753) It was discovered that the Python json module incorrectly handled a certain argument. An attacker could possibly use this issue to read arbitrary memory and expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616) It was discovered that the Python CGIHTTPServer incorrectly handled URL-encoded path separators in URLs. A remote attacker could use this issue to expose sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4650) It was discovered that Python incorrectly handled sizes and offsets in buffer functions. An attacker could possibly use this issue to read arbitrary memory and obtain sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2015-06-26
    plugin id84428
    published2015-06-26
    reporterUbuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84428
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 : python2.7, python3.2, python3.4 vulnerabilities (USN-2653-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-2101.NASL
    descriptionFrom Red Hat Security Advisory 2015:2101 : Updated python packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs : * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an
    last seen2020-03-18
    modified2015-11-24
    plugin id87020
    published2015-11-24
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87020
    titleOracle Linux 7 : python (ELSA-2015-2101)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-7800.NASL
    descriptionFix for CVE-2014-4616 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-07-01
    plugin id76328
    published2014-07-01
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76328
    titleFedora 20 : python-2.7.5-13.fc20 (2014-7800)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20151119_PYTHON_ON_SL7_X.NASL
    descriptionIt was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) This update also fixes the following bugs : - Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an
    last seen2020-03-18
    modified2015-12-22
    plugin id87570
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87570
    titleScientific Linux Security Update : python on SL7.x x86_64 (20151119)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-075.NASL
    descriptionUpdated python packages fix security vulnerabilities : A vulnerability was reported in Python
    last seen2020-06-01
    modified2020-06-02
    plugin id82328
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82328
    titleMandriva Linux Security Advisory : python (MDVSA-2015:075)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-2101.NASL
    descriptionUpdated python packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs : * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an
    last seen2020-03-17
    modified2015-12-02
    plugin id87129
    published2015-12-02
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87129
    titleCentOS 7 : python (CESA-2015:2101)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1434.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that Python
    last seen2020-06-01
    modified2020-06-02
    plugin id124937
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124937
    titleEulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2101.NASL
    descriptionUpdated python packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs : * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an
    last seen2020-03-18
    modified2015-11-20
    plugin id86968
    published2015-11-20
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86968
    titleRHEL 7 : python (RHSA-2015:2101)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-7772.NASL
    descriptionFix for CVE-2014-4616 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-07-17
    plugin id76539
    published2014-07-17
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76539
    titleFedora 19 : python-2.7.5-13.fc19 (2014-7772)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-374.NASL
    descriptionIt was reported that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process
    last seen2020-06-01
    modified2020-06-02
    plugin id78317
    published2014-10-12
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78317
    titleAmazon Linux AMI : python-simplejson (ALAS-2014-374)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-14208.NASL
    descriptionFix for CVE-2014-4650: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs. Fix for CVE-2014-4650 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-11-11
    plugin id79095
    published2014-11-11
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79095
    titleFedora 21 : python3-3.4.1-16.fc21 (2014-14208)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-135.NASL
    descriptionUpdated python and python-simplejson package fixes security vulnerability Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). This issue also affected the python-simplejson package, which has been patched to fix the bug.
    last seen2020-06-01
    modified2020-06-02
    plugin id76471
    published2014-07-11
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76471
    titleMandriva Linux Security Advisory : python (MDVSA-2014:135)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-380.NASL
    descriptionIt was reported that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process
    last seen2020-06-01
    modified2020-06-02
    plugin id78323
    published2014-10-12
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78323
    titleAmazon Linux AMI : python27 (ALAS-2014-380)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-14257.NASL
    descriptionFix for CVE-2014-4650: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs. Fix for CVE-2014-4650 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-11-14
    plugin id79238
    published2014-11-14
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79238
    titleFedora 19 : python3-3.3.2-10.fc19 (2014-14257)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201503-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201503-10 (Python: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id82009
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82009
    titleGLSA-201503-10 : Python: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-458.NASL
    descriptionpython and python3 were updated to fix one security issue. This security issue was fixed : - Missing boundary check in JSON module (CVE-2014-4616)
    last seen2020-06-05
    modified2014-07-14
    plugin id76488
    published2014-07-14
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76488
    titleopenSUSE Security Update : python / python3 (openSUSE-SU-2014:0890-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-8035.NASL
    descriptionFix for CVE-2014-4616 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-07-17
    plugin id76540
    published2014-07-17
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76540
    titleFedora 19 : python3-3.3.2-9.fc19 (2014-8035)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-076.NASL
    descriptionUpdated python3 packages fix security vulnerabilities : ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338). A vulnerability was reported in Python
    last seen2020-06-01
    modified2020-06-02
    plugin id82329
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82329
    titleMandriva Linux Security Advisory : python3 (MDVSA-2015:076)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-14245.NASL
    descriptionFix for CVE-2014-4650: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs. Fix for CVE-2014-4650 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-11-10
    plugin id79076
    published2014-11-10
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79076
    titleFedora 20 : python3-3.3.2-18.fc20 (2014-14245)

Redhat

advisories
rhsa
idRHSA-2015:1064
rpms
  • python27-0:1.1-17.el6
  • python27-0:1.1-20.el7
  • python27-python-0:2.7.8-3.el6
  • python27-python-0:2.7.8-3.el7
  • python27-python-debug-0:2.7.8-3.el6
  • python27-python-debug-0:2.7.8-3.el7
  • python27-python-debuginfo-0:2.7.8-3.el6
  • python27-python-debuginfo-0:2.7.8-3.el7
  • python27-python-devel-0:2.7.8-3.el6
  • python27-python-devel-0:2.7.8-3.el7
  • python27-python-libs-0:2.7.8-3.el6
  • python27-python-libs-0:2.7.8-3.el7
  • python27-python-pip-0:1.5.6-5.el6
  • python27-python-pip-0:1.5.6-5.el7
  • python27-python-setuptools-0:0.9.8-3.el6
  • python27-python-setuptools-0:0.9.8-5.el7
  • python27-python-simplejson-0:3.2.0-2.el6
  • python27-python-simplejson-0:3.2.0-3.el7
  • python27-python-simplejson-debuginfo-0:3.2.0-2.el6
  • python27-python-simplejson-debuginfo-0:3.2.0-3.el7
  • python27-python-test-0:2.7.8-3.el6
  • python27-python-test-0:2.7.8-3.el7
  • python27-python-tools-0:2.7.8-3.el6
  • python27-python-tools-0:2.7.8-3.el7
  • python27-python-wheel-0:0.24.0-2.el6
  • python27-python-wheel-0:0.24.0-2.el7
  • python27-runtime-0:1.1-17.el6
  • python27-runtime-0:1.1-20.el7
  • python27-scldevel-0:1.1-17.el6
  • python27-scldevel-0:1.1-20.el7
  • python27-tkinter-0:2.7.8-3.el6
  • python27-tkinter-0:2.7.8-3.el7
  • python-0:2.7.5-34.el7
  • python-debug-0:2.7.5-34.el7
  • python-debuginfo-0:2.7.5-34.el7
  • python-devel-0:2.7.5-34.el7
  • python-libs-0:2.7.5-34.el7
  • python-test-0:2.7.5-34.el7
  • python-tools-0:2.7.5-34.el7
  • tkinter-0:2.7.5-34.el7