CVE-2014-0012

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
pocoojinja2
2.7.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jinja2
bullseye
2.11.3-1
fixed
squeeze
not-affected
wheezy
not-affected
bookworm
3.1.2-1
fixed
sid
3.1.3-1
fixed
trixie
3.1.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jinja2
trusty
not-affected
saucy
ignored
raring
ignored
quantal
ignored
precise
Fixed 2.6-1ubuntu0.1
released
lucid
ignored
Common Weakness Enumeration
References
http://seclists.org/oss-sec/2014/q1/73
http://secunia.com/advisories/56328
http://secunia.com/advisories/60738
http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml
https://bugzilla.redhat.com/show_bug.cgi?id=1051421
https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
https://github.com/mitsuhiko/jinja2/pull/292
https://github.com/mitsuhiko/jinja2/pull/296
http://seclists.org/oss-sec/2014/q1/73
http://secunia.com/advisories/56328
http://secunia.com/advisories/60738
http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml
https://bugzilla.redhat.com/show_bug.cgi?id=1051421
https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
https://github.com/mitsuhiko/jinja2/pull/292
https://github.com/mitsuhiko/jinja2/pull/296