CVE-2014-1933 — Sensitive Information Exposure in Pillow

CWE-264 CWE-200 — Sensitive Information Exposure CWE-214 — Invocation of Process Using Visible Sensitive Information12 documents8 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 70.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Pythonware Python Imaging Library

Timeline

PublishedApr 17

Latest updateMay 18

Description

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

▶PyPIpython/pillow< 2.3.1

▶Debianpython/pillow< 2.4.0-1+3

▶NVDpython/pillow2.3.0

▶NVDpythonware/python_imaging_library1.1.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pillow Temporary file name leakage↗2020-05-18

▶

GHSA

Pillow Temporary file name leakage↗2020-05-18

▶

CVEList

CVE-2014-1933: The (1) JpegImagePlugin↗2014-04-17

▶

OSV

CVE-2014-1933: The (1) JpegImagePlugin↗2014-04-17

▶

📋Vendor Advisories

Ubuntu

Python Imaging Library vulnerabilities↗2014-04-15

▶

Red Hat

python-imaging: temporary file name exposure in process list↗2014-01-29

▶

Debian

CVE-2014-1933: pillow - The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Lib...↗2014

▶

💬Community

Bugzilla

CVE-2014-1933 CVE-2014-1932 python-pillow: various flaws [fedora-all]↗2014-04-22

▶

Bugzilla

CVE-2014-1932 python-pillow, python-imaging: insecure temporary file creation↗2014-02-11

▶

Bugzilla

CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list↗2014-02-11

▶

Bugzilla

CVE-2014-1933 python26-imaging: python-imaging: insecure temporary file handling [epel-5]↗2014-02-11

▶