Candidate: CVE-2018-7490
PublicDate: 2018-02-26 22:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
 https://github.com/unbit/uwsgi/commit/0a480f435ea6feb63deb410ad2bf376ed3f05f8a
 https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
Description:
 uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
 --php-docroot option, allowing directory traversal.
Ubuntu-Description:
 It was discovered that uWSGI did not properly validate certain input,
 resulting in a directory traversal vulnerability. An attacker could use this
 vulnerability to cause uWSGI to expose sensitive information.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mikesalvatore
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_uwsgi:
upstream_uwsgi: released (2.0.15-10.4, 2.0.7-1+deb8u2)
precise/esm_uwsgi: DNE
trusty_uwsgi: released (1.9.17.1-5ubuntu0.1)
trusty/esm_uwsgi: released (1.9.17.1-5ubuntu0.1)

xenial_uwsgi: released (2.0.12-5ubuntu3.2)

artful_uwsgi: ignored (reached end-of-life)
bionic_uwsgi: released (2.0.15-10.2ubuntu2.1)
devel_uwsgi: not-affected (2.0.15-10.4)