uWSGI Unauthorized Access Vulnerability

Description
  • uWSGI is a web application server, which implements protocols such as WSGI/uwsgi/http, and supports for various languages through plugins.

    uWSGI allows configuring back-end web application dynamically through uwsgi protocol magic variables. If the uWSGI port is exposed, attackers can construct uwsgi packets and specify the magic variable UWSGI_FILE to execute arbitrary commands using the exec:// protocol.

    It was confirmed that the uWSGI port 8000 is publicly accessible.
Remediation
  • The uWSGI port should not be publicly accessible. uWSGI should be configured to listen only on the local interface (127.0.0.1).
References