Vulnerability Details : CVE-2014-1402
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
Products affected by CVE-2014-1402
- cpe:2.3:a:pocoo:jinja2:*:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.0:-:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.7:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:pocoo:jinja2:2.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-1402
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1402
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2014-1402
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1402
-
http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml
Jinja2: Multiple vulnerabilities (GLSA 201408-13) — Gentoo security
-
http://jinja.pocoo.org/docs/changelog/
Changelog — Jinja Documentation (2.10.x)
-
http://rhn.redhat.com/errata/RHSA-2014-0748.html
RHSA-2014:0748 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2014:096
mandriva.com
-
https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html
[El-errata] ELSA-2014-0747 Moderate: Oracle Linux 6 python-jinja2 security update
-
http://openwall.com/lists/oss-security/2014/01/10/3
oss-security - Re: CVE Request: python-jinja2: arbitrary code execution vulnerability
-
http://rhn.redhat.com/errata/RHSA-2014-0747.html
RHSA-2014:0747 - Security Advisory - Red Hat Customer Portal
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
#734747 - jinja2: CVE-2014-1402: jinja2.bccache.FileSystemBytecodeCache: insecure default directory - Debian Bug report logs
-
https://bugzilla.redhat.com/show_bug.cgi?id=1051421
1051421 – (CVE-2014-1402) CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use
-
http://advisories.mageia.org/MGASA-2014-0028.html
Mageia Advisory: MGASA-2014-0028 - Updated python-jinja2 package fixes two security vulnerabilities
-
http://secunia.com/advisories/58783
Sign in
-
http://openwall.com/lists/oss-security/2014/01/10/2
oss-security - CVE Request: python-jinja2: arbitrary code execution vulnerability
Jump to