CVE-2014-4650: 
Python vulnerability analysis and mitigation

The CGIHTTPServer module in Python versions 2.7.5 and 3.3.4 contains a critical security vulnerability that fails to properly handle URLs with URL-encoded path separators. This vulnerability was discovered in 2014 and assigned CVE-2014-4650. The issue affects multiple Python versions including Python 2.7.x (up to 2.7.8), Python 3.2.x (up to 3.2.6), Python 3.3.x (up to 3.3.6), and Python 3.4.x (up to 3.4.2) (NVD).

The vulnerability stems from the CGIHTTPServer module's improper handling of URL-encoded path separators. The issue occurs because neither is_cgi() nor run_cgi() methods URL decode the path during processing until run_cgi() attempts to determine if the target script is an executable file. When a forward slash after the CGI directory in the URL is replaced with the URL-encoded variant %2f, the is_cgi() function returns False, causing the CGIHTTPRequestHandler to invoke its parent's send_head() method, which then translates the URL path to a file system path using the translate_path() method. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD, Python Bug Tracker).

The vulnerability enables remote attackers to read script source code, potentially exposing sensitive information such as access credentials. Additionally, attackers can conduct directory traversal attacks and execute unintended code through crafted character sequences. The vulnerability allows execution of CGI scripts that would normally be restricted, including those outside of designated CGI directories (Python Bug Tracker).

A fix was implemented by URL decoding the path before checking if it refers to a CGI script. As a workaround, users can subclass CGIHTTPRequestHandler and override the is_cgi() method with a variant that first URL decodes the supplied path. The vulnerability was patched in Python versions 2.7.8, 3.2.6, 3.3.6, and 3.4.2 (Python Bug Tracker).