CVE-2014-0012 — Insecure Temporary File in Jinja2

CWE-264 CWE-377 — Insecure Temporary File10 documents9 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 72.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pocoo Jinja2

Timeline

PublishedMay 19

Latest updateMay 17

Description

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages3 packages

▶PyPIpocoo/jinja2< 2.7.2

▶Debianpocoo/jinja2< 2.7.2-2+3

▶NVDpocoo/jinja22.7.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Insecure Temporary File in Jinja2↗2022-05-17

▶

GHSA

Insecure Temporary File in Jinja2↗2022-05-17

▶

OSV

CVE-2014-0012: FileSystemBytecodeCache in Jinja2 2↗2014-05-19

▶

CVEList

CVE-2014-0012: FileSystemBytecodeCache in Jinja2 2↗2014-05-19

▶

💥Exploits & PoCs

Exploit-DB

AirLive (Multiple Products) - OS Command Injection↗2015-07-08

▶

📋Vendor Advisories

Ubuntu

Jinja2 vulnerabilities↗2014-07-24

▶

Red Hat

python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix↗2014-01-11

▶

Debian

CVE-2014-0012: jinja2 - FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary direc...↗2014

▶

💬Community

Bugzilla

CVE-2014-0012 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix↗2014-01-13

▶