Miggo Logo
Miggo Vulnerability Database
CVE-2014-1624

CVE-2014-1624: pyxdg Arbitrary File Overwrite via Race Condition

3.3

CVSS Score

Basic Information

CVE ID
CVE-2014-1624
GHSA ID
GHSA-7372-q459-jxhr
EPSS Score
0.17229%
CWE
CWE-59
Published
5/17/2022
Updated
10/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:L/AC:M/Au:N/C:N/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyxdgpip<= 0.250.26

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly names get_runtime_dir as the vulnerable function. The commit diff shows security improvements in this function: original code used basic mkdir/chmod without verifying directory ownership, symlink status, or access permissions. This allowed TOCTOU attacks where an attacker could first create a legitimate directory, then replace it with a symlink after validation. The CWE-59 classification confirms this is a link resolution issue. The patch adds lstat checks, ownership verification, and proper cleanup - directly addressing the vulnerability in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*** *on*ition in t** `x**.**s**ir**tory.**t_runtim*_*ir` *un*tion in pyx** *.** *llows lo**l us*rs to ov*rwrit* *r*itr*ry *il*s *y pr*-*r**tin* `/tmp/pyx**-runtim*-*ir-**ll***k-vi*tim` to point to * vi*tim-own** lo**tion, t**n r*pl**in* it wit* * sy

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s **t_runtim*_*ir *s t** vuln*r**l* *un*tion. T** *ommit *i** s*ows s**urity improv*m*nts in t*is *un*tion: ori*in*l *o** us** **si* mk*ir/**mo* wit*out v*ri*yin* *ir**tory own*rs*ip, symlink st*tus, or **