CVE-2014-1402Insecure Temporary File in Jinja2

CWE-264CWE-377Insecure Temporary FileCWE-266Incorrect Privilege Assignment12 documents8 sources
Severity
4.4MEDIUMNVD
EPSS
0.1%
top 73.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pocoo Jinja2
Timeline
PublishedMay 19
Latest updateMay 17

Description

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages3 packages

PyPIpocoo/jinja2< 2.7.2
Debianpocoo/jinja2< 2.7.2-1+3
NVDpocoo/jinja22.7.1+17

🔴Vulnerability Details

5
GHSA
Insecure Temporary File in Jinja22022-05-17
GHSA
Incorrect Privilege Assignment in Jinja22022-05-14
OSV
Incorrect Privilege Assignment in Jinja22022-05-14
OSV
CVE-2014-1402: The default configuration for bccache2014-05-19
CVEList
CVE-2014-1402: The default configuration for bccache2014-05-19

📋Vendor Advisories

4
Ubuntu
Jinja2 vulnerabilities2014-07-24
Red Hat
python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix2014-01-11
Red Hat
python-jinja2: FileSystemBytecodeCache insecure cache temporary file use2014-01-09
Debian
CVE-2014-1402: jinja2 - The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2...2014

💬Community

2
Bugzilla
CVE-2014-0012 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix2014-01-13
Bugzilla
CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use2014-01-10
CVE-2014-1402 — Insecure Temporary File in Pocoo Jinja2 | cvebase