CVE-2014-1402
HIGH8.4EPSS 0.10%Incorrect Privilege Assignment in Jinja2
Published: 5/14/2022Modified: 9/24/2024
Description
The default configuration for `bccache.FileSystemBytecodeCache` in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with `__jinja2_` in `/tmp`.
Affected packages (3)
- Debian/jinja2from 0, < 2.7.2-1
- PyPI/jinja2from 0, < 2.7.2
- PyPI/jinja2from 0, < 2.7.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.4 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (23)
- ADVISORYhttp://secunia.com/advisories/56287
- ADVISORYhttp://secunia.com/advisories/58783
- ADVISORYhttp://secunia.com/advisories/58918
- ADVISORYhttp://secunia.com/advisories/59017
- ADVISORYhttp://secunia.com/advisories/60738
- ADVISORYhttp://secunia.com/advisories/60770
- ADVISORYhttps://github.com/advisories/GHSA-8r7q-cvjq-x353
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-1402
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-1402
- ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:096
- WEBhttp://advisories.mageia.org/MGASA-2014-0028.html
- WEBhttp://jinja.pocoo.org/docs/changelog
- WEBhttp://jinja.pocoo.org/docs/changelog/
- WEBhttp://openwall.com/lists/oss-security/2014/01/10/2
- WEBhttp://openwall.com/lists/oss-security/2014/01/10/3
- WEBhttp://rhn.redhat.com/errata/RHSA-2014-0747.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2014-0748.html
- WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1051421
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-8.yaml
- WEBhttps://oss.oracle.com/pipermail/el-errata/2014-June/004192.html
- WEBhttps://web.archive.org/web/20150523060528/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:096/?name=MDVSA-2014:096
- WEBhttp://www.gentoo.org/security/en/glsa/glsa-201408-13.xml