Vulnerability CVE-2014-1402: Information

Description

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

Severity: MEDIUM (4.4)

URL: https://nvd.nist.gov/vuln/detail/CVE-2014-1402
Published: May 19, 2014
Modified: Dec. 22, 2017
Error type identifier: CWE-264

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python-module-jinja2p92.11.2-alt12.11.2-alt1ALT-PU-2020-3106-2254838Fixed
python3-module-jinja2p103.0.1-alt1.p10.13.0.1-alt1.p10.1ALT-PU-2024-3036-5341197Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
    http://advisories.mageia.org/MGASA-2014-0028.html
      http://jinja.pocoo.org/docs/changelog/
        [oss-security] 20140110 Re: CVE Request: python-jinja2: arbitrary code execution vulnerability
          https://bugzilla.redhat.com/show_bug.cgi?id=1051421
            MDVSA-2014:096
              [oss-security] 20140110 CVE Request: python-jinja2: arbitrary code execution vulnerability
                59017
                  58918
                    60770
                      60738
                        56287
                          GLSA-201408-13
                            [El-errata] 20140611 Oracle Linux Security Advisory ELSA-2014-0747
                              58783
                                RHSA-2014:0748
                                  RHSA-2014:0747

                                      1. Configuration 1

                                        cpe:2.3:a:pocoo:jinja2:2.5.3:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.5.4:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:*:*:*:*:*:*:*:*
                                        End including
                                        2.7.1
                                        cpe:2.3:a:pocoo:jinja2:2.0:-:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.5.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.0:rc1:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.4:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.4.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.5:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.2.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.6:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.1.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.7:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.3.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.3:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.5.2:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.2:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.5.5:*:*:*:*:*:*:*
                                        cpe:2.3:a:pocoo:jinja2:2.1:*:*:*:*:*:*:*
                                    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                    Version: v24.5.1
                                    Back to top