CVE-2014-8991 — Insecure Temporary File in PIP

CWE-377 — Insecure Temporary File8 documents7 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 77.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypa PIP Oracle Solaris

Timeline

PublishedNov 24

Latest updateMay 13

Description

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

CVSS vector

AV:L/AC:L/C:N/I:N/A:PExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶PyPIpypa/pip1.3 — 6.0

▶NVDpypa/pip1.3 — 1.5.6

▶NVDoracle/solaris11.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

pip lack of randomness in build directory↗2022-05-13

▶

GHSA

pip lack of randomness in build directory↗2022-05-13

▶

CVEList

CVE-2014-8991: pip 1↗2014-11-24

▶

OSV

CVE-2014-8991: pip 1↗2014-11-24

▶

📋Vendor Advisories

Debian

CVE-2014-8991: python-pip - pip 1.3 through 1.5.6 allows local users to cause a denial of service (preventio...↗2014

▶

Red Hat

python-pip: local DoS vulnerability↗2013-10-09

▶

💬Community

Bugzilla

CVE-2014-8991 python-pip: local DoS vulnerability↗2014-11-20

▶