CVE-2014-1933
MEDIUM4.0EPSS 0.11%Pillow Temporary file name leakage
發布日:2020/5/18修改日:2026/4/28
也稱為:DEBIAN-CVE-2014-1933
描述
The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.
受影響套件(3)
- Debian/pillowfrom 0, < 2.4.0-1
- PyPI/pillowfrom 0, < 2.3.1
- PyPI/pillowfrom 0, < 4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 | from 0, < 2.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.0 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(12)
- ADVISORYhttps://github.com/advisories/GHSA-r854-96gq-rfg3
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-1933
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-1933
- PATCHhttps://github.com/python-imaging/Pillow
- WEBhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-23.yaml
- WEBhttps://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
- WEBhttps://security.gentoo.org/glsa/201612-52
- WEBhttp://www.openwall.com/lists/oss-security/2014/02/10/15
- WEBhttp://www.openwall.com/lists/oss-security/2014/02/11/1
- WEBhttp://www.securityfocus.com/bid/65513
- WEBhttp://www.ubuntu.com/usn/USN-2168-1