Miggo Logo
Miggo Vulnerability Database
CVE-2014-1934

CVE-2014-1934:
eyeD3 is vulnerable to arbitrary file modification via symlink attack

4.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2014-1934
GHSA ID
GHSA-4r2w-w73w-36jm
EPSS Score
0.14704%
CWE
CWE-59
Published
5/14/2022
Updated
8/4/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
eyeD3pip< 0.7.50.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two instances in tag.py where tempfile.mktemp() was used to generate temporary filenames. This function is inherently unsafe due to time-of-check-to-time-of-use (TOCTOU) race conditions, allowing symlink attacks. The Debian patch (CVE-2014-1934.patch) explicitly replaces mktemp() with tempfile.NamedTemporaryFile(), confirming the vulnerable code location. Multiple sources (Debian, Red Hat, OpenSUSE advisories) reference this fix in tag.py, and the CWE-59 classification directly maps to improper symlink resolution. Though the exact function names aren't provided in the snippets, the context indicates the vulnerability occurs in the Tag class's file-saving logic where temporary files are created.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

t**.py in *y*** (*k* pyt*on-*y***) *.*.* *n* **rli*r *or Pyt*on *llows lo**l us*rs to mo*i*y *r*itr*ry *il*s vi* * symlink *tt**k on * t*mpor*ry *il*.

Reasoning

T** vuln*r**ility st*ms *rom two inst*n**s in `t**.py` w**r* `t*mp*il*.mkt*mp()` w*s us** to **n*r*t* t*mpor*ry *il*n*m*s. T*is *un*tion is in**r*ntly uns*** *u* to tim*-o*-****k-to-tim*-o*-us* (TO*TOU) r*** *on*itions, *llowin* symlink *tt**ks. T**