ID CVE-2014-8583
Summary mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors.
References
Vulnerable Configurations
  • modwsgi mod_wsgi 4.2.4
    cpe:2.3:a:modwsgi:mod_wsgi:4.2.4
CVSS
Base: 6.9 (as of 17-12-2014 - 11:53)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2431-1.NASL
    description It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 79717
    published 2014-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79717
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : mod-wsgi vulnerability (USN-2431-1)
  • NASL family Web Servers
    NASL id MOD_WSGI_4_2_4.NASL
    description According to the web server banner, the version of mod_wsgi running on the remote host is prior to version 4.2.4. It is, therefore, affected by a privilege escalation vulnerability. The issue is triggered when attempting to drop group privileges and an error with 'setgid', 'setgroups', and 'initgroups' occurs. The error is reported, but mod_wsgi continues to run with root group privileges, rather than dropping privileges as intended. A local attacker could potentially gain escalated privileges. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 76498
    published 2014-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76498
    title Apache mod_wsgi < 4.2.4 Privilege Dropping Privilege Escalation
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-753.NASL
    description apache2-mod_wsgi was updated to fix one security issue. This security issue was fixed : - Failure to handle errors when attempting to drop group privileges (CVE-2014-8583).
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 79815
    published 2014-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79815
    title openSUSE Security Update : apache2-mod_wsgi (openSUSE-SU-2014:1590-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-253.NASL
    description Updated apache-mod_wsgi package fixes security vulnerability : It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode (CVE-2014-8583).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 80042
    published 2014-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80042
    title Mandriva Linux Security Advisory : apache-mod_wsgi (MDVSA-2014:253)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-180.NASL
    description Updated apache-mod_wsgi package fixes security vulnerabilities : apache-mod_wsgi before 4.2.4 contained an off-by-one error in applying a limit to the number of supplementary groups allowed for a daemon process group. The result could be that if more groups than the operating system allowed were specified to the option supplementary-groups, then memory corruption or a process crash could occur. It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode (CVE-2014-8583).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 82455
    published 2015-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82455
    title Mandriva Linux Security Advisory : apache-mod_wsgi (MDVSA-2015:180)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201612-49.NASL
    description The remote host is affected by the vulnerability described in GLSA-201612-49 (mod_wsgi: Privilege escalation) mod_wsgi, when creating a daemon process group, does not properly handle dropping group privileges. Impact : Context-dependent attackers could escalate privileges due to the improper handling of group privileges. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2017-01-03
    plugin id 96224
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96224
    title GLSA-201612-49 : mod_wsgi: Privilege escalation
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-987.NASL
    description Failure to handle errors when attempting to drop group privileges mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors. (CVE-2014-8583)
    last seen 2019-01-16
    modified 2018-04-27
    plugin id 109369
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109369
    title Amazon Linux AMI : mod24_wsgi (ALAS-2018-987)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-987.NASL
    description Failure to handle errors when attempting to drop group privileges : mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors. (CVE-2014-8583)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 109140
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109140
    title Amazon Linux 2 : mod_wsgi (ALAS-2018-987)
refmap via4
bid 68111
confirm
gentoo GLSA-201612-49
mandriva MDVSA-2014:253
mlist
  • [oss-security] 20140619 CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)]
  • [oss-security] 20141104 Re: CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)]
suse openSUSE-SU-2014:1590
ubuntu USN-2431-1
Last major update 30-12-2016 - 21:59
Published 16-12-2014 - 13:59
Last modified 30-06-2017 - 21:29
Back to Top