CVE-2014-1933

{"id": "CVE-2014-1933", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-04-17T14:55:11.120", "references": [{"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2014/02/10/15", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2014/02/11/1", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/65513", "source": "cve@mitre.org"}, {"url": "http://www.ubuntu.com/usn/USN-2168-1", "source": "cve@mitre.org"}, {"url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7", "tags": ["Exploit", "Patch"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/201612-52", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2014/02/10/15", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2014/02/11/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/65513", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ubuntu.com/usn/USN-2168-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7", "tags": ["Exploit", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201612-52", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes."}, {"lang": "es", "value": "Los scripts (1) JpegImagePlugin.py y (2) EpsImagePlugin.py en Python Image Library (PIL) 1.1.7 y anteriores y Pillow anterior a 2.3.1 utiliza los nombres de archivos temporales en la l\u00ednea de comando, lo que facilita a usuarios locales realizar ataques symlink mediante el listado de los procesos."}], "lastModified": "2024-11-21T02:05:18.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1BAE1A0-BC57-4410-83DD-DB85B992398A", "versionEndIncluding": "2.3.0"}, {"criteria": "cpe:2.3:a:pythonware:python_imaging_library:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0BFFC56-855D-49E5-A4FD-7AA2D68F5B5C", "versionEndIncluding": "1.1.7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}