CVE-2014-0012
Published: 19 May 2014
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
Notes
Author | Note |
---|---|
mdeslaur | Introduced in 2.7.2, and in CVE-2014-1402 security fix. 2.7.2-2 in trusty switches to tempfile.mkdtemp which fixes the security issue, but isn't an ideal fix for proper caching. |
Priority
Status
Package | Release | Status |
---|---|---|
jinja2 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(2.6-1ubuntu0.1)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Not vulnerable
(2.7.2-2)
|
|
upstream |
Released
(2.7.3,2.7.2-2)
|
|
Patches: upstream: https://github.com/mitsuhiko/jinja2/commit/964c61ce79f6748ff8c583e2eb12ec54082bf188 |