CVE-2014-1604

Description

The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.

How to fix CVE-2014-1604

To remediate CVE-2014-1604, upgrade the affected package to a fixed version below.

• Debian/python-rply—upgrade to 0.7.1-1 or later
• PyPI/rply—upgrade to 0.7.1 or later
• PyPI/rply—no fix listed
• —upgrade to fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7c or later

Is CVE-2014-1604 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 0.7.1-1
• from 0, < 0.7.1
• from 0, < fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7c | from 0, < 0.7.1

References (13)

• ADVISORYsecunia.com/advisories/56429
• ADVISORYgithub.com/advisories/GHSA-9gcf-pq99-rjw3
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-1604
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-1604
• PATCHgithub.com