CVE-2014-1859 — Link Following in Numpy

CWE-59 — Link Following CWE-377 — Insecure Temporary File CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition21 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 85.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Numpy Fedoraproject Fedora Redhat Enterprise Linux

Timeline

PublishedJan 8

Latest updateJun 30

Description

(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶PyPInumpy/numpy< 1.8.1

▶NVDnumpy/numpy1.8.0+1

Also affects: Fedora 19, 20, Enterprise Linux 6.0, 7.0

Patches

Patch: www.openwall.com ↗Patch: bugs.debian.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Numpy arbitrary file write via symlink attack↗2022-05-14

▶

OSV

Numpy arbitrary file write via symlink attack↗2022-05-14

▶

OSV

CVE-2014-1859: (1) core/tests/test_memmap↗2018-01-08

▶

📋Vendor Advisories

Red Hat

numpy: f2py insecure temporary file use↗2014-02-05

▶

📄Research Papers

arXiv

Threat Assessment in Machine Learning based Systems↗2022-06-30

▶

💬Community

Bugzilla

CVE-2014-6551 mysql: unspecified vulnerability related to CLIENT:MYSQLADMIN (CPU October 2014)↗2014-10-16

▶

Bugzilla

CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use [epel-5]↗2014-02-13

▶

Bugzilla

CVE-2014-1858 CVE-2014-1859 python26-numpy: numpy: f2py insecure temporary file use [epel-5]↗2014-02-13

▶

Bugzilla

CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use↗2014-02-06

▶