PYSEC-2014-8

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2014-8.yaml

Aliases

CVE-2014-1402
GHSA-8r7q-cvjq-x353

Published

2014-05-19T14:55:00Z

Modified

2023-11-08T03:57:34.512953Z

Details

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with _jinja2 in /tmp.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
http://advisories.mageia.org/MGASA-2014-0028.html
http://jinja.pocoo.org/docs/changelog/
http://openwall.com/lists/oss-security/2014/01/10/3
https://bugzilla.redhat.com/show_bug.cgi?id=1051421
http://www.mandriva.com/security/advisories?name=MDVSA-2014:096
http://openwall.com/lists/oss-security/2014/01/10/2
http://secunia.com/advisories/59017
http://secunia.com/advisories/58918
http://secunia.com/advisories/60770
http://secunia.com/advisories/60738
http://secunia.com/advisories/56287
http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml
https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html
http://secunia.com/advisories/58783
http://rhn.redhat.com/errata/RHSA-2014-0748.html
http://rhn.redhat.com/errata/RHSA-2014-0747.html
https://github.com/advisories/GHSA-8r7q-cvjq-x353

Affected packages

PyPI / jinja2

Package

Name: jinja2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.7.2

Affected versions

2.*

2.0rc1

2.0

2.1

2.1.1

2.2

2.2.1

2.3

2.3.1

2.4

2.4.1

2.5

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6

2.7

2.7.1