Vulnerability Details : CVE-2014-1858
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file.
Vulnerability category: Input validation
Products affected by CVE-2014-1858
- cpe:2.3:a:numpy:numpy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-1858
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1858
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2014-1858
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1858
-
https://github.com/numpy/numpy/blob/maintenance/1.8.x/doc/release/1.8.1-notes.rst
numpy/1.8.1-notes.rst at maintenance/1.8.x · numpy/numpy · GitHubThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html
[SECURITY] Fedora 20 Update: numpy-1.8.0-4.fc20Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/02/08/3
oss-security - Re: CVE request: f2py insecure temporary file useMailing List;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/91318
NumPy package __init__.py symlink CVE-2014-1858 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://github.com/numpy/numpy/pull/4262
remove insecure mktemp usage by juliantaylor · Pull Request #4262 · numpy/numpy · GitHubThird Party Advisory
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778
#737778 - python-numpy: insecure use of /tmp (CVE-2014-1858 CVE-2014-1859) - Debian Bug report logsMailing List;Third Party Advisory
-
https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
ENH: remove insecure mktemp use · numpy/numpy@0bb46c1 · GitHubThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1062009
1062009 – (CVE-2014-1858, CVE-2014-1859) CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file useIssue Tracking;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128781.html
[SECURITY] Fedora 19 Update: numpy-1.7.2-8.fc19Third Party Advisory
-
http://www.securityfocus.com/bid/65441
NumPy '__init__.py' Insecure Temporary File Creation VulnerabilityThird Party Advisory;VDB Entry
Jump to