Symlink Vulnerability in Python Imaging Library Affecting Multiple Versions
CVE-2014-1933

Currently unrated

Key Information:

Vendor: Python
Status: Pillow; Python Imaging Library
Vendor: CVE Published:; 17 April 2014

Summary

The Python Imaging Library (PIL) versions 1.1.7 and earlier, along with Pillow versions prior to 2.3.1, are susceptible to a symlink attack due to an insecure handling of temporary file names. This vulnerability enables local users to list processes that use temporary files on the command line, potentially allowing malicious actions through symbolic link manipulation. This risk highlights the importance of implementing secure coding practices and user permissions to mitigate unauthorized access.

References

https://security.gentoo.org/glsa/201612-52

vendor-advisoryx_refsource_GENTOO

http://www.openwall.com/lists/oss-security/2014/02/10/15

mailing-listx_refsource_MLIST

https://github.com/python-imaging/Pillow/commit/4e9f367df...

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 17, 2014
Vulnerability Reserved
Feb 10, 2014