CVE-2014-1402

HIGH8.4EPSS 0.10%

Incorrect Privilege Assignment in Jinja2

發布日:2022/5/14修改日:2024/9/24

也稱為:GHSA-8r7q-cvjq-x353DEBIAN-CVE-2014-1402PYSEC-2014-8

描述

The default configuration for `bccache.FileSystemBytecodeCache` in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with `__jinja2_` in `/tmp`.

受影響套件(3)

Debian/jinja2from 0, < 2.7.2-1
PyPI/jinja2from 0, < 2.7.2
PyPI/jinja2from 0, < 2.7.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(23)

ADVISORYhttp://secunia.com/advisories/56287
ADVISORYhttp://secunia.com/advisories/58783
ADVISORYhttp://secunia.com/advisories/58918
ADVISORYhttp://secunia.com/advisories/59017
ADVISORYhttp://secunia.com/advisories/60738
ADVISORYhttp://secunia.com/advisories/60770
ADVISORYhttps://github.com/advisories/GHSA-8r7q-cvjq-x353
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-1402
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-1402
ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:096
WEBhttp://advisories.mageia.org/MGASA-2014-0028.html
WEBhttp://jinja.pocoo.org/docs/changelog
WEBhttp://jinja.pocoo.org/docs/changelog/
WEBhttp://openwall.com/lists/oss-security/2014/01/10/2
WEBhttp://openwall.com/lists/oss-security/2014/01/10/3
WEBhttp://rhn.redhat.com/errata/RHSA-2014-0747.html
WEBhttp://rhn.redhat.com/errata/RHSA-2014-0748.html
WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1051421
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-8.yaml
WEBhttps://oss.oracle.com/pipermail/el-errata/2014-June/004192.html
WEBhttps://web.archive.org/web/20150523060528/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:096/?name=MDVSA-2014:096
WEBhttp://www.gentoo.org/security/en/glsa/glsa-201408-13.xml