Vulnerability CVE-2014-1624

Vulnerability Name:

CVE-2014-1624 (CCN-90618)

Assigned:

2014-01-21

Published:

2014-01-21

Updated:

2017-08-29

Summary:

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

CVSS v3 Severity:

5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

3.3 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:P)
2.9 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

3.3 Low (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:P)
2.9 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-59

Vulnerability Consequences:

File Manipulation

References:

Source: CCN
Type: Debian Bug report logs - #736247
python-xdg: get_runtime_dir(strict=False): insecure use of /tmp (CVE-2014-1624)

Source: MISC
Type: UNKNOWN
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247

Source: MITRE
Type: CNA
CVE-2014-1624

Source: CCN
Type: freedesktop Web site
python-xdg

Source: MLIST
Type: UNKNOWN
[oss-security] 20140121 Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp

Source: MLIST
Type: UNKNOWN
[oss-security] 20140121 Re: Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp

Source: BID
Type: UNKNOWN
65042

Source: CCN
Type: BID-65042
python-xdg '/tmp' Insecure Temporary File Creation Vulnerability

Source: XF
Type: UNKNOWN
pythonxdg-cve20141624-symlink(90618)

Source: XF
Type: UNKNOWN
pythonxdg-cve20141624-symlink(90618)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-1624

Vulnerable Configuration:

Configuration 1:

cpe:/a:python:pyxdg:0.25:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:55525	P	Security update for ldb, samba (Important)	2023-03-29
oval:org.opensuse.security:def:20141624	V	CVE-2014-1624	2022-09-02
oval:org.opensuse.security:def:24052	P	Security update for apache2 (Important)	2022-01-12
oval:org.opensuse.security:def:23702	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:45384	P	Security update for transfig (Important)	2021-10-06
oval:org.opensuse.security:def:23677	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-09-23
oval:org.opensuse.security:def:61091	P	Security update for the Linux Kernel (Important)	2021-09-23
oval:org.opensuse.security:def:61680	P	xorg-x11-devel-7.6.1-1.16 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61553	P	libpango-1_0-0-1.40.14-3.3.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:57068	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:47555	P	apache2-mod_jk-1.2.40-5.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46917	P	cups-pk-helper-0.2.5-3.72 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47211	P	autofs-5.0.9-27.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47160	P	supportutils-3.0-85.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47608	P	file-5.22-10.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:63421	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62141	P	libbsd-devel-0.8.7-3.3.17 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62331	P	subversion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62748	P	gdk-pixbuf-query-loaders-32bit-2.40.0-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62203	P	libprocps7-3.3.15-7.16.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:13712	P	qemu-2.3.1-5.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46693	P	libHX28-3.18-1.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46457	P	libXfixes3-32bit-5.0.1-3.53 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12753	P	xf86-video-intel-2.99.917+git781.c8990575-1.27 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46611	P	apache-commons-beanutils-1.9.2-1.149 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46711	P	libXvMC1-1.0.8-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46428	P	gnome-keyring-3.10.1-4.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63525	P	NetworkManager-applet-1.8.10-3.39 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46848	P	strongswan-5.1.3-18.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46660	P	gdk-pixbuf-lang-2.30.6-1.23 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12783	P	libpacemaker3-1.1.16-4.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61362	P	strongswan-5.6.0-2.43 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46817	P	perl-Tk-804.031-3.82 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12761	P	yast2-3.2.48-3.29.20 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46400	P	cups-pk-helper-0.2.5-3.72 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46754	P	libpango-1_0-0-1.36.3-4.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13734	P	sysvinit-tools-2.88+-94.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46522	P	libtiff5-32bit-4.0.3-9.78 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:56994	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:23560	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2021-04-28
oval:org.opensuse.security:def:23202	P	Security update for nghttp2 (Important)	2021-03-24
oval:org.opensuse.security:def:24030	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:54768	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:23749	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:23742	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:23686	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:23982	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:23933	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:24039	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:23495	P	Security update for MozillaFirefox (Critical)	2020-12-21
oval:org.opensuse.security:def:23873	P	Security update for openssh (Moderate)	2020-12-16
oval:org.opensuse.security:def:61885	P	libspice-client-glib-2_0-8-0.37-1.92 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62432	P	libass-devel-0.14.0-1.25 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13010	P	libjson-c2-0.11-2.15 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62694	P	libquicktime-1.2.4+git20180804.fff99cd-1.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12876	P	eog-3.20.4-7.7 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63623	P	kernel-default-extra-5.3.18-22.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61968	P	python3-urllib3-1.24-9.7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13074	P	libssh2-1-1.4.3-20.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62966	P	nasm-2.13.02-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62611	P	ImageMagick-7.0.7.34-8.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12829	P	atftp-0.7.0-160.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61945	P	perl-LWP-Protocol-https-6.06-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13061	P	librelp0-1.2.12-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:46369	P	nodejs6-6.9.5-7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62661	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12985	P	libfreebl3-3.45-58.31.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13052	P	libproxy1-0.4.13-16.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62614	P	PackageKit-1.1.13-2.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62562	P	libmad-devel-0.15.1b-3.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61944	P	perl-HTML-Parser-3.72-1.26 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12910	P	guestfs-data-1.32.4-21.3.10 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63289	P	nut-2.7.4-4.72 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62416	P	gstreamer-plugins-bad-1.12.5-1.40 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62524	P	gnome-shell-3.26.2+20180130.0d9c74212-4.16.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12891	P	ghostscript-9.27-23.28.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:54195	P	finch on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:45681	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:45930	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54874	P	libipa_hbac0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24768	P	Security update for taglib (Low)	2020-12-01
oval:org.opensuse.security:def:44908	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:46170	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60903	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:24195	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:24543	P	Security update for python-xdg (Moderate)	2020-12-01
oval:org.opensuse.security:def:45724	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:24221	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:45531	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:24323	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:45497	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:45873	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:55433	P	Security update for gnutls (Moderate)	2020-12-01
oval:org.opensuse.security:def:24726	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:44897	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:46042	P	Security update for adns (Important)	2020-12-01
oval:org.opensuse.security:def:54194	P	file on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24511	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:24099	P	Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:45402	P	Security update for ghostscript (Moderate)	2020-12-01
oval:org.opensuse.security:def:55718	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:63803	P	Security update for python-xdg (Moderate)	2020-12-01
oval:org.opensuse.security:def:23449	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:24576	P	Security update for libarchive (Moderate)	2020-12-01
oval:org.opensuse.security:def:25043	P	Security update for python-xdg (Moderate)	2020-12-01
oval:org.opensuse.security:def:60902	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:54595	P	libqt4-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:46023	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:24712	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:45854	P	Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:45815	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:45321	P	Security update for libzypp, zypper (Important)	2020-12-01
oval:org.opensuse.security:def:55637	P	Security update for unzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:45372	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:63718	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:44896	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:23379	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:24429	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:25011	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:54357	P	perl-YAML-LibYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:45889	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:46022	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:45737	P	Security update for clamav (Important)	2020-12-01
oval:org.opensuse.security:def:24244	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:55325	P	logrotate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:23837	P	Security update for permissions (Moderate)	2020-12-01
oval:org.opensuse.security:def:25440	P	Security update for python-xdg (Moderate)	2020-12-01
oval:org.opensuse.security:def:45200	P	Security update for shadow (Moderate)	2020-12-01
oval:org.opensuse.security:def:55599	P	Security update for kernel-source (Important)	2020-12-01
oval:org.opensuse.security:def:63768	P	Security update for perl (Important)	2020-12-01
oval:org.opensuse.security:def:23263	P	Security update for quagga (Important)	2020-12-01
oval:org.opensuse.security:def:24351	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:46310	P	Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:24373	P	Security update for opensc (Moderate)	2020-12-01
oval:org.opensuse.security:def:54217	P	gzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:45805	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:45959	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:45725	P	Security update for ovmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:45371	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:23860	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:55040	P	xinetd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:23825	P	Security update for libseccomp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25406	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:45018	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:46258	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60925	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:24627	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:63663	P	Security update for libssh2_org (Important)	2020-12-01
oval:org.opensuse.security:def:23210	P	Security update for lcms2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24298	P	Security update for polkit (Moderate)	2020-12-01
oval:org.opensuse.security:def:46230	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:24335	P	Security update for mgetty (Important)	2020-12-01
oval:org.opensuse.security:def:88781	P	Security update for python-xdg (Moderate)	2019-10-18
oval:org.opensuse.security:def:124937	P	Security update for python-xdg (Moderate)	2019-10-18
oval:org.opensuse.security:def:79702	P	Security update for python-xdg (Moderate)	2019-10-18
oval:org.opensuse.security:def:126357	P	Security update for python-xdg (Moderate)	2019-10-18
oval:org.opensuse.security:def:87018	P	Security update for python-xdg (Moderate)	2019-10-18
oval:com.ubuntu.bionic:def:201416240000000	V	CVE-2014-1624 on Ubuntu 18.04 LTS (bionic) - low.	2014-01-28
oval:com.ubuntu.xenial:def:201416240000000	V	CVE-2014-1624 on Ubuntu 16.04 LTS (xenial) - low.	2014-01-28
oval:com.ubuntu.disco:def:201416240000000	V	CVE-2014-1624 on Ubuntu 19.04 (disco) - low.	2014-01-28
oval:com.ubuntu.artful:def:20141624000	V	CVE-2014-1624 on Ubuntu 17.10 (artful) - low.	2014-01-27
oval:com.ubuntu.trusty:def:20141624000	V	CVE-2014-1624 on Ubuntu 14.04 LTS (trusty) - low.	2014-01-27
oval:com.ubuntu.bionic:def:20141624000	V	CVE-2014-1624 on Ubuntu 18.04 LTS (bionic) - low.	2014-01-27
oval:com.ubuntu.xenial:def:20141624000	V	CVE-2014-1624 on Ubuntu 16.04 LTS (xenial) - low.	2014-01-27
oval:com.ubuntu.cosmic:def:20141624000	V	CVE-2014-1624 on Ubuntu 18.10 (cosmic) - low.	2014-01-27
oval:com.ubuntu.cosmic:def:201416240000000	V	CVE-2014-1624 on Ubuntu 18.10 (cosmic) - low.	2014-01-27
oval:com.ubuntu.precise:def:20141624000	V	CVE-2014-1624 on Ubuntu 12.04 LTS (precise) - low.	2014-01-27

BACK