Executive Summary
| Summary | |
|---|---|
| Title | uwsgi security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-4142 | First vendor Publication | 2018-03-17 |
| Vendor | Debian | Last vendor Modification | 2018-03-17 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Marios Nicolaides discovered that the PHP plugin in uWSGI, a fast, self-healing application container server, does not properly handle a DOCUMENT_ROOT check during use of the --php-docroot option, allowing a remote attacker to mount a directory traversal attack and gain unauthorized read access to sensitive files located outside of the web root directory. For the oldstable distribution (jessie), this problem has been fixed in version 2.0.7-1+deb8u2. This update additionally includes the fix for CVE-2018-6758 which was aimed to be addressed in the upcoming jessie point release. For the stable distribution (stretch), this problem has been fixed in version 2.0.14+20161117-3+deb9u2. We recommend that you upgrade your uwsgi packages. For the detailed security status of uwsgi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/uwsgi |
Original Source
| Url : http://www.debian.org/security/2018/dsa-4142 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
| 50 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 | |
| Os | 2 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2019-01-03 | Name : The remote Fedora host is missing a security update. File : fedora_2018-acfce682f4.nasl - Type : ACT_GATHER_INFO |
| 2018-07-24 | Name : The remote Fedora host is missing a security update. File : fedora_2018-04b3af1edf.nasl - Type : ACT_GATHER_INFO |
| 2018-03-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-4142.nasl - Type : ACT_GATHER_INFO |
| 2018-02-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_a8f25565109e11e88d4197657151f8c2.nasl - Type : ACT_GATHER_INFO |
| 2018-02-12 | Name : The remote Debian host is missing a security update. File : debian_DLA-1275.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2018-03-17 21:18:48 |
|
