High severityNVD Advisory· Published Apr 17, 2014· Updated Jun 17, 2026
CVE-2014-1932
CVE-2014-1932
Description
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 2.3.1 | 2.3.1 |
Affected products
3- cpe:2.3:a:pythonware:python_imaging_library:*:*:*:*:*:*:*:*Range: <=1.1.7
Patches
Vulnerability mechanics
References
11- github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7nvdExploitPatchWEB
- github.com/advisories/GHSA-x895-2wrm-hvp7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-1932ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2014-05/msg00002.htmlnvdWEB
- www.openwall.com/lists/oss-security/2014/02/11/1nvdWEB
- www.ubuntu.com/usn/USN-2168-1nvdWEB
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-22.yamlghsaWEB
- security.gentoo.org/glsa/201612-52nvdWEB
- web.archive.org/web/20170103151725/http://www.securityfocus.com/bid/65511ghsaWEB
- www.securityfocus.com/bid/65511nvd
News mentions
0No linked articles in our index yet.