Published: 19/05/2014 Updated: 22/12/2017

CVSS v2 Base Score: 4.4 | Impact Score: 6.4 | Exploitability Score: 3.4

VMScore: 392

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 prior to 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pocoo jinja2 2.5.5
pocoo jinja2 2.5.4
pocoo jinja2
pocoo jinja2 2.5.1
pocoo jinja2 2.5
pocoo jinja2 2.1
pocoo jinja2 2.0
pocoo jinja2 2.5.3
pocoo jinja2 2.5.2
pocoo jinja2 2.2
pocoo jinja2 2.1.1
pocoo jinja2 2.7
pocoo jinja2 2.6
pocoo jinja2 2.4.1
pocoo jinja2 2.4
pocoo jinja2 2.3.1
pocoo jinja2 2.3
pocoo jinja2 2.2.1

A security issue was fixed in Jinja2 ...

Debian Bug report logs - #734956 jinja2: CVE-2014-0012: unsafe temporary files creation Package: jinja2; Maintainer for jinja2 is Piotr Ożarowski <piotr@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 11 Jan 2014 07:24:02 UTC Severity: important Tags: security, upstream Found in versio ...

Debian Bug report logs - #734747 jinja2: CVE-2014-1402: jinja2bccacheFileSystemBytecodeCache: insecure default directory Package: python-jinja2; Maintainer for python-jinja2 is Piotr Ożarowski <piotr@debianorg>; Source for python-jinja2 is src:jinja2 (PTS, buildd, popcon) Reported by: Jakub Wilk <jwilk@debianorg> ...

The default configuration for bccacheFileSystemBytecodeCache in Jinja2 before 272 does not properly create temporary files, which allows local users to gain privileges via a crafted cache file with a name starting with __jinja2_ in /tmp ...

Analysis on vulnerability database osv.dev focused on commit-related data

OSVdev analysis Setup Data Run make data/swhdb to fetch the data from OSV and add it to the database, creating a csv file at data/osvcsv graph-tool Shell The shell is used to colorize graphs using parquet file and is not optimized for large graphs Requirements The shell and more specifically utils/pq_graphpy require graph-tool As this is a package not available through p

CWE-264 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 http://advisories.mageia.org/MGASA-2014-0028.html http://jinja.pocoo.org/docs/changelog/http://openwall.com/lists/oss-security/2014/01/10/3 https://bugzilla.redhat.com/show_bug.cgi?id=1051421 http://www.mandriva.com/security/advisories?name=MDVSA-2014:096 http://openwall.com/lists/oss-security/2014/01/10/2 http://secunia.com/advisories/59017 http://secunia.com/advisories/58918 http://secunia.com/advisories/60770 http://secunia.com/advisories/60738 http://secunia.com/advisories/56287 http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html http://secunia.com/advisories/58783 http://rhn.redhat.com/errata/RHSA-2014-0748.html http://rhn.redhat.com/errata/RHSA-2014-0747.html https://usn.ubuntu.com/2301-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-1402

CVE-2014-1402

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect