#VU33662 Permissions, Privileges, and Access Controls - CVE-2014-0012

Cybersecurity Help s.r.o.

Published: 2014-05-19 | Updated: 2020-08-04

Vulnerability identifier: #VU33662

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-0012

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

Mitigation
Install update from vendor's website.

External links
https://seclists.org/oss-sec/2014/q1/73
https://secunia.com/advisories/56328
https://secunia.com/advisories/60738
https://www.gentoo.org/security/en/glsa/glsa-201408-13.xml
https://bugzilla.redhat.com/show_bug.cgi?id=1051421
https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
https://github.com/mitsuhiko/jinja2/pull/292
https://github.com/mitsuhiko/jinja2/pull/296

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for python-Jinja2

Permissions, Privileges, and Access Controls in py-jinja2 (Alpine package)