Fluid Attacks Database

Description

Insecure Temporary File in Jinja2 FileSystemBytecodeCache in Jinja2 prior to version 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jinja2	>=0 <2.7.2	2.7.2
debian 13	jinja2	>=0 <2.7.2-2	2.7.2-2
debian 11	jinja2	>=0 <2.7.2-2	2.7.2-2
debian 12	jinja2	>=0 <2.7.2-2	2.7.2-2
debian 14	jinja2	>=0 <2.7.2-2	2.7.2-2

Aliases

1. CVE-2014-00122. NVD-2014-00123. OSV-2014-00124. OSV-DEBIAN-2014-00125. GCVE-2014-00126. SECURITY-TRACKER-CVE-2014-0012

References

1. https://github.com/mitsuhiko/jinja2/pull/2922. https://github.com/mitsuhiko/jinja2/pull/2963. https://github.com/pallets/jinja2/pull/2924. https://github.com/pallets/jinja2/pull/2965. https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa76. https://github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa77. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7347478. https://bugzilla.redhat.com/show_bug.cgi?id=10514219. https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-82.yaml10. http://seclists.org/oss-sec/2014/q1/7311. http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.