CVE-2014-1932 — MEDIUM (4.4)

Q: How severe is CVE-2014-1932?

CVE-2014-1932 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-1932?

Check the references section above for vendor advisories and patch information. Affected products include: Python Pillow, Pythonware Python Imaging Library.

Vulnerability Description

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

CVSS Score

4.4

MEDIUM

AV:L/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Python	Pillow	<= 2.3.0
Pythonware	Python Imaging Library	<= 1.1.7

Related Weaknesses (CWE)

CWE-59

References

FAQ

What is CVE-2014-1932?

CVE-2014-1932 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (P...

How severe is CVE-2014-1932?

CVE-2014-1932 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-1932?

Check the references section above for vendor advisories and patch information. Affected products include: Python Pillow, Pythonware Python Imaging Library.