{"id":"PYSEC-2012-15","details":"Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.","aliases":["CVE-2012-0878","GHSA-27px-qpmj-qg38"],"modified":"2024-04-30T15:11:27.158856Z","published":"2012-05-01T19:55:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=796790"},{"type":"WEB","url":"http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/02/23/1"},{"type":"WEB","url":"https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/02/23/4"},{"type":"WEB","url":"https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2012-1206.html"},{"type":"ADVISORY","url":"http://secunia.com/advisories/48812"},{"type":"ADVISORY","url":"http://secunia.com/advisories/50410"}],"affected":[{"package":{"name":"paste","ecosystem":"PyPI","purl":"pkg:pypi/paste"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.5.1"}]}],"versions":["0.3","0.4","0.4.1","0.5","0.9","0.9.1","0.9.2","0.9.3","0.9.5","0.9.6","0.9.7","0.9.8","0.9.8.1","1.0","1.0.1","1.1","1.1.1","1.2","1.2.1","1.3","1.4","1.4.1","1.4.2","1.5","1.5.1","1.6","1.7","1.7.1","1.7.2","1.7.3","1.7.3.1","1.7.4","1.7.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/paste/PYSEC-2012-15.yaml"}}],"schema_version":"1.7.3"}