CVE-2014-1402
python-jinja2: FileSystemBytecodeCache insecure cache temporary file use
Severity Score
4.4
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
La configuración por defecto para bccache.FileSystemBytecodeCache en Jinja2 anterior a 2.7.2 no crea debidamente archivos temporales, lo que permite a usuarios locales ganar privilegios a través de un archivo .cache manipulado con un nombre que empieza con __jinja2_ en /tmp.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-01-10 CVE Reserved
- 2014-05-19 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-377: Insecure Temporary File
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://advisories.mageia.org/MGASA-2014-0028.html | X_refsource_confirm | |
| http://jinja.pocoo.org/docs/changelog | X_refsource_confirm | |
| http://openwall.com/lists/oss-security/2014/01/10/2 | Mailing List | |
| http://openwall.com/lists/oss-security/2014/01/10/3 | Mailing List | |
| http://secunia.com/advisories/56287 | Third Party Advisory | |
| http://secunia.com/advisories/58783 | Third Party Advisory | |
| http://secunia.com/advisories/58918 | Third Party Advisory | |
| http://secunia.com/advisories/59017 | Third Party Advisory | |
| http://secunia.com/advisories/60738 | Third Party Advisory | |
| http://secunia.com/advisories/60770 | Third Party Advisory | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 | X_refsource_confirm | |
| https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-0747.html | 2017-12-22 | |
| http://rhn.redhat.com/errata/RHSA-2014-0748.html | 2017-12-22 | |
| http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml | 2017-12-22 | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2014:096 | 2017-12-22 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1051421 | 2014-06-11 | |
| https://access.redhat.com/security/cve/CVE-2014-1402 | 2014-06-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | <= 2.7.1 Search vendor "Pocoo" for product "Jinja2" and version " <= 2.7.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.0 Search vendor "Pocoo" for product "Jinja2" and version "2.0" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.0 Search vendor "Pocoo" for product "Jinja2" and version "2.0" | rc1 |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.1 Search vendor "Pocoo" for product "Jinja2" and version "2.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.1.1 Search vendor "Pocoo" for product "Jinja2" and version "2.1.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.2 Search vendor "Pocoo" for product "Jinja2" and version "2.2" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.2.1 Search vendor "Pocoo" for product "Jinja2" and version "2.2.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.3 Search vendor "Pocoo" for product "Jinja2" and version "2.3" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.3.1 Search vendor "Pocoo" for product "Jinja2" and version "2.3.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.4 Search vendor "Pocoo" for product "Jinja2" and version "2.4" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.4.1 Search vendor "Pocoo" for product "Jinja2" and version "2.4.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5 Search vendor "Pocoo" for product "Jinja2" and version "2.5" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5.1 Search vendor "Pocoo" for product "Jinja2" and version "2.5.1" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5.2 Search vendor "Pocoo" for product "Jinja2" and version "2.5.2" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5.3 Search vendor "Pocoo" for product "Jinja2" and version "2.5.3" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5.4 Search vendor "Pocoo" for product "Jinja2" and version "2.5.4" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.5.5 Search vendor "Pocoo" for product "Jinja2" and version "2.5.5" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.6 Search vendor "Pocoo" for product "Jinja2" and version "2.6" | - |
Affected
| ||||||
| Pocoo Search vendor "Pocoo" | Jinja2 Search vendor "Pocoo" for product "Jinja2" | 2.7 Search vendor "Pocoo" for product "Jinja2" and version "2.7" | - |
Affected
| ||||||