Fluid Attacks Database

Description

Incorrect Privilege Assignment in Jinja2 The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jinja2	>=0 <2.7.2	2.7.2
debian 14	jinja2	>=0 <2.7.2-1	2.7.2-1
debian 12	jinja2	>=0 <2.7.2-1	2.7.2-1
debian 11	jinja2	>=0 <2.7.2-1	2.7.2-1
debian 13	jinja2	>=0 <2.7.2-1	2.7.2-1
rpm rhel6	python-jinja2	<0:2.2.1-2.el6_5	0:2.2.1-2.el6_5

Aliases

1. CVE-2014-14022. NVD-2014-14023. OSV-2014-14024. OSV-DEBIAN-2014-14025. GHSA-8r7q-cvjq-x3536. GCVE-2014-14027. SECURITY-TRACKER-CVE-2014-1402

References

1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7347472. https://bugzilla.redhat.com/show_bug.cgi?id=10514213. https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-8.yaml4. https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html5. https://web.archive.org/web/20150523060528/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:096/?name=MDVSA-2014:0966. http://advisories.mageia.org/MGASA-2014-0028.html7. http://jinja.pocoo.org/docs/changelog8. http://openwall.com/lists/oss-security/2014/01/10/29. http://openwall.com/lists/oss-security/2014/01/10/310. http://rhn.redhat.com/errata/RHSA-2014-0747.html11. http://rhn.redhat.com/errata/RHSA-2014-0748.html12. http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.