CVE-2014-1932
Last modified
CVE-2014-1932 is a vulnerability of currently unknown severity. The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.. EPSS estimates a 0.49% chance of exploitation in the next 30 days.
Description
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Python | Pillow | <= 2.3.0 |
| Pythonware | Python Imaging Library | <= 1.1.7 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-1932?
How severe is CVE-2014-1932?
How do I fix CVE-2014-1932?
Are you affected by CVE-2014-1932?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST