Vulnerability Details : CVE-2014-2667
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
Products affected by CVE-2014-2667
- cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.6:*:*:*:*:*:*:*
Threat overview for CVE-2014-2667
Top countries where our scanners detected CVE-2014-2667
Top open port discovered on systems with this issue
80
IPs affected by CVE-2014-2667 547
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-2667!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-2667
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2667
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:P/I:P/A:N |
3.4
|
4.9
|
NIST |
CWE ids for CVE-2014-2667
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2667
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html
openSUSE-SU-2014:0596-1: moderate: update for python3
-
http://www.openwall.com/lists/oss-security/2014/03/28/15
oss-security - CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00008.html
openSUSE-SU-2014:0597-1: moderate: update for python3
-
https://security.gentoo.org/glsa/201503-10
Python: Multiple vulnerabilities (GLSA 201503-10) — Gentoo security
-
http://www.openwall.com/lists/oss-security/2014/03/30/4
oss-security - Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
[security-announce] openSUSE-SU-2020:0086-1: important: Security update
-
http://www.openwall.com/lists/oss-security/2014/03/29/5
oss-security - Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
-
http://bugs.python.org/issue21082
Issue 21082: os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem - Python trackerVendor Advisory
Jump to