CVE-2014-1933

medium

Description

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

References

https://security.gentoo.org/glsa/201612-52

http://www.ubuntu.com/usn/USN-2168-1

http://www.securityfocus.com/bid/65513

http://www.openwall.com/lists/oss-security/2014/02/11/1

http://www.openwall.com/lists/oss-security/2014/02/10/15

http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html

Details

Source: Mitre, NVD

Published: 2014-04-17

Updated: 2017-07-01

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Medium