Moderate severityNVD Advisory· Published May 19, 2014· Updated May 6, 2026

CVE-2014-0012

Description

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Jinja2PyPI	< 2.7.2	2.7.2

Affected products

ghsa-coords5 versions
pkg:pypi/jinja2 pkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Tumbleweed pkg:rpm/suse/python-Jinja2&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205 pkg:rpm/suse/python-Jinja2&distro=SUSE%20Enterprise%20Storage%201.0 pkg:rpm/suse/python-Jinja2&distro=SUSE%20Package%20Hub%2012
< 2.7.2+ 4 more
- (no CPE)range: < 2.7.2
- (no CPE)range: < 2.8-1.4
- (no CPE)range: < 2.7.3-4.1
- (no CPE)range: < 2.7.3-4.1
- (no CPE)range: < 2.8-2.1

Patches

acb672b6a179

Fixed a security issue with temporary files on the filesystem cache on UNIX.

https://github.com/pallets/jinjaArmin RonacherJan 10, 2014via ghsa

commit

2 files changed · +32 −2

CHANGES+5 −0 modified

@@ -7,6 +7,11 @@ Version 2.7.2
 
 - Prefix loader was not forwarding the locals properly to
   inner loaders.  This is now fixed.
+- Security issue: Changed the default folder for the filesystem cache to be
+  user specific and read and write protected on UNIX systems.  See `Debian bug
+  734747`_ for more information.
+
+.. _Debian bug 734747: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
 
 Version 2.7.1
 -------------

jinja2/bccache.py+27 −2 modified

@@ -15,7 +15,9 @@
     :license: BSD.
 """
 from os import path, listdir
+import os
 import sys
+import errno
 import marshal
 import tempfile
 import fnmatch
@@ -189,7 +191,9 @@ class FileSystemBytecodeCache(BytecodeCache):
     two arguments: The directory where the cache items are stored and a
     pattern string that is used to build the filename.
 
-    If no directory is specified the system temporary items folder is used.
+    If no directory is specified a default cache directory is selected.  On
+    Windows the user's temp directory is used, on UNIX systems a directory
+    is created for the user in the system temp directory.
 
     The pattern can be used to have multiple separate caches operate on the
     same directory.  The default pattern is ``'__jinja2_%s.cache'``.  ``%s``
@@ -202,10 +206,31 @@ class FileSystemBytecodeCache(BytecodeCache):
 
     def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
         if directory is None:
-            directory = tempfile.gettempdir()
+            directory = self._get_default_cache_dir()
         self.directory = directory
         self.pattern = pattern
 
+    def _get_default_cache_dir(self):
+        tmpdir = tempfile.gettempdir()
+
+        # On windows the temporary directory is used specific unless
+        # explicitly forced otherwise.  We can just use that.
+        if os.name == 'n':
+            return tmpdir
+        if not hasattr(os, 'getuid'):
+            raise RuntimeError('Cannot determine safe temp directory.  You '
+                               'need to explicitly provide one.')
+
+        dirname = '_jinja2-cache-%d' % os.getuid()
+        actual_dir = os.path.join(tmpdir, dirname)
+        try:
+            os.mkdir(actual_dir, 0700)
+        except OSError as e:
+            if e.errno != errno.EEXIST:
+                raise
+
+        return actual_dir
+
     def _get_cache_filename(self, bucket):
         return path.join(self.directory, self.pattern % bucket.key)

acb672b6a179

Fixed a security issue with temporary files on the filesystem cache on UNIX.

https://github.com/mitsuhiko/jinja2Armin RonacherJan 10, 2014via ghsa

commit

2 files changed · +32 −2

CHANGES+5 −0 modified

@@ -7,6 +7,11 @@ Version 2.7.2
 
 - Prefix loader was not forwarding the locals properly to
   inner loaders.  This is now fixed.
+- Security issue: Changed the default folder for the filesystem cache to be
+  user specific and read and write protected on UNIX systems.  See `Debian bug
+  734747`_ for more information.
+
+.. _Debian bug 734747: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
 
 Version 2.7.1
 -------------

jinja2/bccache.py+27 −2 modified

@@ -15,7 +15,9 @@
     :license: BSD.
 """
 from os import path, listdir
+import os
 import sys
+import errno
 import marshal
 import tempfile
 import fnmatch
@@ -189,7 +191,9 @@ class FileSystemBytecodeCache(BytecodeCache):
     two arguments: The directory where the cache items are stored and a
     pattern string that is used to build the filename.
 
-    If no directory is specified the system temporary items folder is used.
+    If no directory is specified a default cache directory is selected.  On
+    Windows the user's temp directory is used, on UNIX systems a directory
+    is created for the user in the system temp directory.
 
     The pattern can be used to have multiple separate caches operate on the
     same directory.  The default pattern is ``'__jinja2_%s.cache'``.  ``%s``
@@ -202,10 +206,31 @@ class FileSystemBytecodeCache(BytecodeCache):
 
     def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
         if directory is None:
-            directory = tempfile.gettempdir()
+            directory = self._get_default_cache_dir()
         self.directory = directory
         self.pattern = pattern
 
+    def _get_default_cache_dir(self):
+        tmpdir = tempfile.gettempdir()
+
+        # On windows the temporary directory is used specific unless
+        # explicitly forced otherwise.  We can just use that.
+        if os.name == 'n':
+            return tmpdir
+        if not hasattr(os, 'getuid'):
+            raise RuntimeError('Cannot determine safe temp directory.  You '
+                               'need to explicitly provide one.')
+
+        dirname = '_jinja2-cache-%d' % os.getuid()
+        actual_dir = os.path.join(tmpdir, dirname)
+        try:
+            os.mkdir(actual_dir, 0700)
+        except OSError as e:
+            if e.errno != errno.EEXIST:
+                raise
+
+        return actual_dir
+
     def _get_cache_filename(self, bucket):
         return path.join(self.directory, self.pattern % bucket.key)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7nvdExploitPatchWEB
github.com/advisories/GHSA-fqh9-2qgg-h84hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-0012ghsaADVISORY
seclists.org/oss-sec/2014/q1/73nvdWEB
www.gentoo.org/security/en/glsa/glsa-201408-13.xmlnvdWEB
bugs.debian.org/cgi-bin/bugreport.cgighsaWEB
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/mitsuhiko/jinja2/pull/292nvdWEB
github.com/mitsuhiko/jinja2/pull/296nvdWEB
github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa7ghsaWEB
github.com/pallets/jinja2/pull/292ghsaWEB
github.com/pallets/jinja2/pull/296ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-82.yamlghsaWEB
secunia.com/advisories/56328nvd
secunia.com/advisories/60738nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000