Detections
Analytics
Oracle Solaris Third-Party Patch Update : jinja2 (multiple_vulnerabilities_in_jinja2)
medium Nessus Plugin ID 80649
Language:
Synopsis
The remote Solaris system is missing a security patch for third-party software.Description
The remote Solaris system is missing necessary patches to address security updates :- FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402. (CVE-2014-0012)
- The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
(CVE-2014-1402)
Solution
Upgrade to Solaris 11.2.5.5.0.See Also
Plugin Details
Severity: Medium
ID: 80649
File Name: solaris11_jinja2_20141216.nasl
Version: 1.3
Type: local
Family: Solaris Local Security Checks
Published: 1/19/2015
Updated: 1/14/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 4.4
Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/o:oracle:solaris:11.2, p-cpe:/a:oracle:solaris:jinja2
Required KB Items: Host/local_checks_enabled, Host/Solaris11/release, Host/Solaris11/pkg-list
Patch Publication Date: 12/16/2014
Reference Information
CVE: CVE-2014-0012, CVE-2014-1402