{"id":"CVE-2018-7490","details":"uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.","aliases":["GHSA-h2vm-c85r-5vh5","PYSEC-2018-78"],"modified":"2026-04-11T11:40:00.986086Z","published":"2018-02-26T22:29:00.697Z","references":[{"type":"ADVISORY","url":"https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4142"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/44223/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/unbit/uwsgi","events":[{"introduced":"0"},{"fixed":"50ffc6b28a7a84e273fb2b79c8d657b45887fe87"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.17"}]}}],"versions":["0.9.5","0.9.5.1","0.9.5beta1","0.9.5rc1","0.9.5rc2","0.9.6","0.9.6-rc1","0.9.6-rc2","0.9.6.1","0.9.6.2","0.9.7","0.9.7-beta1","0.9.7-rc1","0.9.7-rc2","0.9.7-rc3","0.9.7.1","0.9.7.2","0.9.8","0.9.8-rc1","0.9.8-rc2","0.9.8-rc3","0.9.8-rc4","0.9.8.1","0.9.8.2","0.9.8.3","0.9.9","0.9.9-beta1","0.9.9-rc1","0.9.9-rc2","1.0","1.0-rc1","1.0-rc10","1.0-rc2","1.0-rc3","1.0-rc4","1.0-rc5","1.0-rc6","1.0-rc7","1.0-rc8","1.0-rc9","1.0.1","1.1","1.1-rc1","1.1-rc2","1.1-rc3","1.1-rc4","1.2","1.2-rc1","1.2-rc2","1.3","1.3-rc2","1.3-rc3","1.3-rc4","1.4-rc1","1.4-rc2","1.9","1.9-rc1","1.9-rc2","1.9.1","1.9.10","1.9.11","1.9.12","1.9.13","1.9.14","1.9.15","1.9.16","1.9.17","1.9.17.1","1.9.18.1","1.9.19","1.9.2","1.9.21","1.9.21.1","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","2.0","2.0-rc1","2.0.1","2.0.10","2.0.11.1","2.0.11.2","2.0.12","2.0.13","2.0.13.1","2.0.14","2.0.15","2.0.16","2.0.2","2.0.3","2.0.4","2.0.5","2.0.5.1","2.0.6","2.0.7","2.0.8","2.0.9","no_server_mode"],"database_specific":{"vanir_signatures_modified":"2026-04-11T11:40:00Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7490.json","vanir_signatures":[{"target":{"function":"emperor_send_stats","file":"core/emperor.c"},"signature_version":"v1","id":"CVE-2018-7490-10a9e9fb","deprecated":false,"signature_type":"Function","digest":{"length":4401,"function_hash":"40819405896703077170114517224641591161"},"source":"https://github.com/unbit/uwsgi/commit/50ffc6b28a7a84e273fb2b79c8d657b45887fe87"},{"target":{"file":"core/emperor.c"},"signature_version":"v1","id":"CVE-2018-7490-dad61214","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["183921310509659873877742638882587627729","253732705211709347952798536006006680026","70117204752041438384735343179857933391","250711984050732733881674518222307053012","156477072178116142811456001594875906112","110936179626844845554820386236306811073","175571910637939687637911481670568491034"]},"source":"https://github.com/unbit/uwsgi/commit/50ffc6b28a7a84e273fb2b79c8d657b45887fe87"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}