{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-02-10T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-201612-52", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201612-52"}, {"name": "[oss-security] 20140210 CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/02/10/15"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7"}, {"name": "[oss-security] 20140210 Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"}, {"name": "USN-2168-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2168-1"}, {"name": "openSUSE-SU-2014:0591", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html"}, {"name": "65513", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65513"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1933", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-201612-52", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201612-52"}, {"name": "[oss-security] 20140210 CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/02/10/15"}, {"name": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7", "refsource": "CONFIRM", "url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7"}, {"name": "[oss-security] 20140210 Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"}, {"name": "USN-2168-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2168-1"}, {"name": "openSUSE-SU-2014:0591", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html"}, {"name": "65513", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65513"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:58:15.513Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-201612-52", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201612-52"}, {"name": "[oss-security] 20140210 CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/02/10/15"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7"}, {"name": "[oss-security] 20140210 Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"}, {"name": "USN-2168-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2168-1"}, {"name": "openSUSE-SU-2014:0591", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html"}, {"name": "65513", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65513"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1933", "datePublished": "2014-04-17T14:00:00", "dateReserved": "2014-02-10T00:00:00", "dateUpdated": "2024-08-06T09:58:15.513Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1BAE1A0-BC57-4410-83DD-DB85B992398A", "versionEndIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pythonware:python_imaging_library:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0BFFC56-855D-49E5-A4FD-7AA2D68F5B5C", "versionEndIncluding": "1.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes."}, {"lang": "es", "value": "Los scripts (1) JpegImagePlugin.py y (2) EpsImagePlugin.py en Python Image Library (PIL) 1.1.7 y anteriores y Pillow anterior a 2.3.1 utiliza los nombres de archivos temporales en la l\u00ednea de comando, lo que facilita a usuarios locales realizar ataques symlink mediante el listado de los procesos."}], "id": "CVE-2014-1933", "lastModified": "2017-07-01T01:29:05.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-17T14:55:11.120", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2014/02/10/15"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65513"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2168-1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201612-52"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-imaging: temporary file name exposure in process list", "id": "1063660", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063660"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "draft"}, "cwe": "CWE-214", "details": ["The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes."], "name": "CVE-2014-1933", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python-imaging", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python-imaging", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python-pillow", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2014-01-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-1933\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1933"], "threat_severity": "Low", "upstream_fix": "python-pillow 2.3.1"}