CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
10.1%
CentOS Errata and Security Advisory CESA-2014:0747
Jinja2 is a template engine written in pure Python. It provides a
Django-inspired, non-XML syntax but supports inline expressions and an
optional sandboxed environment.
It was discovered that Jinja2 did not properly handle bytecode cache files
stored in the system’s temporary directory. A local attacker could use this
flaw to alter the output of an application using Jinja2 and
FileSystemBytecodeCache, and potentially execute arbitrary code with the
privileges of that application. (CVE-2014-1402)
All python-jinja2 users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. For the update to
take effect, all applications using python-jinja2 must be restarted.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-June/082529.html
Affected packages:
python-jinja2
Upstream details at:
https://access.redhat.com/errata/RHSA-2014:0747
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | i686 | python-jinja2 | < 2.2.1-2.el6_5 | python-jinja2-2.2.1-2.el6_5.i686.rpm |
CentOS | 6 | x86_64 | python-jinja2 | < 2.2.1-2.el6_5 | python-jinja2-2.2.1-2.el6_5.x86_64.rpm |