CVE-2014-1859 - Improper Link Resolution Before File Access ('Link Following')

Severity

21%

Complexity

39%

Confidentiality

48%

(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.

(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.

CVSS 3.0 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 2.1. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N).

Overview

First reported 7 years ago

2018-01-08 19:29:00

Last updated 5 years ago

2019-04-22 17:48:00

Affected Software

NumPy 1.8.1 Release Candidate 1

1.8.1

Fedora 19

19

Fedora 20

20

Red Hat Enterprise Linux 6.0

6.0

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

References

FEDORA-2014-2289

Issue Tracking, Third Party Advisory

FEDORA-2014-2387

Issue Tracking, Third Party Advisory

[oss-security] 20140207 Re: CVE request: f2py insecure temporary file use

Issue Tracking, Mailing List, Patch, Third Party Advisory

65440

Third Party Advisory, VDB Entry

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778

Issue Tracking, Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1062009

Issue Tracking, Patch

numpy-cve20141859-symlink(91317)

Issue Tracking, Third Party Advisory, VDB Entry

https://github.com/numpy/numpy/blob/maintenance/1.8.x/doc/release/1.8.1-notes.rst

Patch, Third Party Advisory

https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15

Patch, Third Party Advisory

https://github.com/numpy/numpy/pull/4262

Issue Tracking, Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.