CVE-2018-7490

NameCVE-2018-7490
DescriptionuWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4142-1
NVD severitymedium (attack range: remote)
Debian Bugs891639

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
uwsgi (PTS)jessie (security), jessie2.0.7-1+deb8u2fixed
stretch (security), stretch2.0.14+20161117-3+deb9u2fixed
buster2.0.18-1fixed
sid2.0.18-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
uwsgisource(unstable)2.0.15-10.4medium891639
uwsgisourcejessie2.0.7-1+deb8u2mediumDSA-4142-1
uwsgisourcestretch2.0.14+20161117-3+deb9u2mediumDSA-4142-1
uwsgisourcewheezy(not affected)

Notes

[wheezy] - uwsgi <not-affected> (plugin package introduced in jessie)
Fixed in 2.0.17 upstream
https://github.com/unbit/uwsgi/commit/0a480f435ea6feb63deb410ad2bf376ed3f05f8a
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/

Search for package or bug name: Reporting problems