Vulnerability CVE-2014-1933

Vulnerability Name:

CVE-2014-1933 (CCN-91123)

Assigned:

2014-02-10

Published:

2014-02-10

Updated:

2017-07-01

Summary:

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.7 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.7 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-1933

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0591

Source: MLIST
Type: UNKNOWN
[oss-security] 20140210 CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp

Source: MLIST
Type: UNKNOWN
[oss-security] 20140210 Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp

Source: CCN
Type: Python Ware Web site
Python Imaging Library package

Source: BID
Type: UNKNOWN
65513

Source: CCN
Type: BID-65513
Python Imaging Library Package Multiple Information Disclosure Vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-2168-1

Source: CCN
Type: Debian Bug report logs - #737059
python-pil: CVE-2014-1932 CVE-2014-1933

Source: XF
Type: UNKNOWN
python-imaging-cve20141933-info-disc(91123)

Source: CONFIRM
Type: Exploit, Patch
https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Source: GENTOO
Type: UNKNOWN
GLSA-201612-52

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-1933

Vulnerable Configuration:

Configuration 1:

cpe:/a:python:pillow:*:*:*:*:*:*:*:* (Version <= 2.3.0)

OR cpe:/a:pythonware:python_imaging_library:*:*:*:*:*:*:*:* (Version <= 1.1.7)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20141933	V	CVE-2014-1933	2022-05-20
oval:org.opensuse.security:def:34018	P	Security update for mariadb (Moderate)	2021-12-30
oval:org.opensuse.security:def:29461	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:26172	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:26170	P	Security update for postgresql12 (Important)	2021-11-22
oval:org.opensuse.security:def:32199	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:26113	P	Security update for mysql-connector-java (Moderate)	2021-08-30
oval:org.opensuse.security:def:26108	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:29412	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:30237	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:26097	P	Security update for lasso (Important)	2021-08-02
oval:org.opensuse.security:def:26096	P	Security update for php72 (Moderate)	2021-07-29
oval:org.opensuse.security:def:34494	P	Security update for linuxptp (Important)	2021-07-28
oval:org.opensuse.security:def:30226	P	Security update for linuxptp (Important)	2021-07-21
oval:org.opensuse.security:def:30094	P	Security update for apache2 (Important)	2021-06-17
oval:org.opensuse.security:def:32112	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:36279	P	python-imaging-1.1.6-168.34.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36547	P	python-imaging-1.1.6-168.34.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42686	P	python-imaging-1.1.6-168.34.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:30200	P	Security update for dhcp (Important)	2021-06-01
oval:org.opensuse.security:def:29358	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:26032	P	Security update for sudo (Important)	2021-04-20
oval:org.opensuse.security:def:34405	P	Security update for clamav (Important)	2021-04-13
oval:org.opensuse.security:def:31746	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:33097	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:31745	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:34653	P	Security update for s390-tools (Important)	2021-03-12
oval:org.opensuse.security:def:34030	P	Security update for open-iscsi (Important)	2021-03-01
oval:org.opensuse.security:def:34019	P	Security update for python (Important)	2021-02-11
oval:org.opensuse.security:def:30020	P	Security update for python (Important)	2021-02-11
oval:org.opensuse.security:def:33002	P	Security update for kernel-source (Important)	2021-02-05
oval:org.opensuse.security:def:30008	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:30009	P	Security update for openssh (Moderate)	2021-01-05
oval:org.opensuse.security:def:35548	P	freetype2-2.3.7-25.10.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:26438	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:26775	P	libxslt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27510	P	lighttpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26420	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:26704	P	g3utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27049	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27195	P	libmpfr1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28766	P	Security update for libsndfile	2020-12-01
oval:org.opensuse.security:def:28978	P	Security update for socat (Moderate)	2020-12-01
oval:org.opensuse.security:def:29518	P	Security update for LibVNCServer (Moderate)	2020-12-01
oval:org.opensuse.security:def:30458	P	Security update for Mesa	2020-12-01
oval:org.opensuse.security:def:30756	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31496	P	Security update for python-imaging	2020-12-01
oval:org.opensuse.security:def:31757	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:32460	P	Security update for xorg-x11-libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:33203	P	mailx on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32777	P	python-sssd-config on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33455	P	Security update for gzip	2020-12-01
oval:org.opensuse.security:def:33611	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:34250	P	Security update for postgresql10 (Low)	2020-12-01
oval:org.opensuse.security:def:34825	P	Security update for automake	2020-12-01
oval:org.opensuse.security:def:25828	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:26405	P	Security update for sox (Moderate)	2020-12-01
oval:org.opensuse.security:def:26560	P	gstreamer-0_10-plugins-base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26522	P	apache2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26814	P	qt3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27545	P	python-imaging on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26431	P	Security update for tor (Moderate)	2020-12-01
oval:org.opensuse.security:def:26761	P	libpulse-browse0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27098	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27833	P	Security update for mercurial	2020-12-01
oval:org.opensuse.security:def:28767	P	Security update for libsndfile (Moderate)	2020-12-01
oval:org.opensuse.security:def:29064	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:29562	P	Recommended update for NetworkManager-kde4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:30613	P	Security update for stunnel	2020-12-01
oval:org.opensuse.security:def:30776	P	Security update for axis (Moderate)	2020-12-01
oval:org.opensuse.security:def:31831	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:32499	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33242	P	python-imaging on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32788	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33154	P	libgtop on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33504	P	Security update for ntp	2020-12-01
oval:org.opensuse.security:def:34249	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:34348	P	Security update for strongswan	2020-12-01
oval:org.opensuse.security:def:34711	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:34869	P	Security update for cpio	2020-12-01
oval:org.opensuse.security:def:25829	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26458	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:26604	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26300	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:26673	P	bind on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26828	P	system-config-printer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26495	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:26845	P	xorg-x11-libs-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27137	P	gnutls on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27868	P	Security update for python-imaging	2020-12-01
oval:org.opensuse.security:def:28778	P	Security update for libxml2	2020-12-01
oval:org.opensuse.security:def:29121	P	Security update for java-1_7_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:30315	P	Security update for tftp	2020-12-01
oval:org.opensuse.security:def:30668	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:30820	P	Security update for ctags (Moderate)	2020-12-01
oval:org.opensuse.security:def:31963	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:32355	P	Security update for squid3 (Important)	2020-12-01
oval:org.opensuse.security:def:32521	P	gmime on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32867	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33241	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33543	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:34289	P	Security update for python-imaging	2020-12-01
oval:org.opensuse.security:def:34760	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:35507	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:25840	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:26507	P	Security update for cacti, cacti-spine (Important)	2020-12-01
oval:org.opensuse.security:def:27242	P	mozilla-nspr-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26381	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:26726	P	kdelibs4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26872	P	cifs-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26419	P	Security update for mbedtls (Moderate)	2020-12-01
oval:org.opensuse.security:def:26623	P	pam on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26996	P	nfs-client on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27151	P	jakarta-commons-httpclient3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28847	P	Security update for wpa_supplicant	2020-12-01
oval:org.opensuse.security:def:29205	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:29500	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:30372	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:30717	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:31458	P	Security update for postgresql91 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32055	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:32411	P	Security update for wireshark (Low)	2020-12-01
oval:org.opensuse.security:def:32565	P	librpcsecgss on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32776	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33398	P	Security update for cobbler (Important)	2020-12-01
oval:org.opensuse.security:def:33567	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34114	P	Security update for nagios (Moderate)	2020-12-01
oval:org.opensuse.security:def:34799	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:25904	P	Security update for gegl (Moderate)	2020-12-01
oval:org.opensuse.security:def:26254	P	Security update for dia (Moderate)	2020-12-01
oval:org.opensuse.security:def:26546	P	findutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27277	P	python-imaging on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:25172	P	SUSE-SU-2014:0705-1 -- Security update for python-imaging	2014-09-08
oval:org.mitre.oval:def:24565	P	USN-2168-1 -- python-imaging vulnerabilities	2014-07-21
oval:com.ubuntu.precise:def:20141933000	V	CVE-2014-1933 on Ubuntu 12.04 LTS (precise) - medium.	2014-04-17

BACK