CVE-2014-1402

Severity

44%

Complexity

34%

Confidentiality

106%

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

CVSS 2.0 Base Score 4.4. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P).

Overview

Type

pocoo Jinja2

First reported 10 years ago

2014-05-19 14:55:00

Last updated 7 years ago

2017-12-22 02:29:00

Affected Software

pocoo Jinja2 2.0

2.0

pocoo Jinja2 2.0 release candidate 1

2.0

pocoo Jinja2 2.1

2.1

pocoo Jinja2 2.1.1

2.1.1

pocoo Jinja2 2.2

2.2

pocoo Jinja2 2.2.1

2.2.1

pocoo Jinja2 2.3

2.3

pocoo Jinja2 2.3.1

2.3.1

pocoo Jinja2 2.4

2.4

pocoo Jinja2 2.4.1

2.4.1

pocoo Jinja2 2.5

2.5

pocoo Jinja2 2.5.1

2.5.1

pocoo Jinja2 2.5.2

2.5.2

pocoo Jinja2 2.5.3

2.5.3

pocoo Jinja2 2.5.4

2.5.4

pocoo Jinja2 2.5.5

2.5.5

pocoo Jinja2 2.6

2.6

pocoo Jinja2 2.7

2.7

References

http://advisories.mageia.org/MGASA-2014-0028.html

http://jinja.pocoo.org/docs/changelog/

[oss-security] 20140110 CVE Request: python-jinja2: arbitrary code execution vulnerability

[oss-security] 20140110 Re: CVE Request: python-jinja2: arbitrary code execution vulnerability

RHSA-2014:0747

RHSA-2014:0748

56287

58783

58918

59017

60738

60770

GLSA-201408-13

MDVSA-2014:096

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747

https://bugzilla.redhat.com/show_bug.cgi?id=1051421

[El-errata] 20140611 Oracle Linux Security Advisory ELSA-2014-0747

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.