Vulnerability Details : CVE-2014-8583
mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors.
Exploit prediction scoring system (EPSS) score for CVE-2014-8583
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 25 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-8583
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST |
CWE ids for CVE-2014-8583
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8583
-
http://www.openwall.com/lists/oss-security/2014/06/19/7
oss-security - CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)]
-
http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.4.html
Version 4.2.4 — mod_wsgi 4.6.7 documentationPatch;Vendor Advisory
-
http://www.securityfocus.com/bid/68111
Apache 'mod_wsgi' Module Privilege Escalation Vulnerability
-
https://bugzilla.redhat.com/show_bug.cgi?id=1111034
1111034 – (CVE-2014-8583) CVE-2014-8583 mod_wsgi: failure to handle errors when attempting to drop group privileges
-
http://advisories.mageia.org/MGASA-2014-0513.html
Mageia Advisory: MGASA-2014-0513 - Updated apache-mod_wsgi package fixes security vulnerability
-
https://security.gentoo.org/glsa/201612-49
mod_wsgi: Privilege escalation (GLSA 201612-49) — Gentoo security
-
http://www.mandriva.com/security/advisories?name=MDVSA-2014:253
mandriva.com
-
http://www.openwall.com/lists/oss-security/2014/11/04/8
oss-security - Re: CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)]
-
http://www.ubuntu.com/usn/USN-2431-1
USN-2431-1: mod_wsgi vulnerability | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-updates/2014-12/msg00036.html
openSUSE-SU-2014:1590-1: moderate: Security update for apache2-mod_wsgi
Products affected by CVE-2014-8583
- cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*