VIR Vulnerability Intelligence Relay

CVE-2014-2667

low
Published 2014-11-16 · Modified 2026-05-06
CVSS v3
CVSS v2
3.3
VIR risk
3.3

Description

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-2667

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://bugs.python.org/issue21082

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-2667.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbullseyefixed0

Application impact
VendorProductVersionsFixed
pythonpython3.2.0
pythonpython3.2.1
pythonpython3.2.2
pythonpython3.2.3
pythonpython3.2.4
pythonpython3.2.5
pythonpython3.2.6
pythonpython3.3.0
pythonpython3.3.1
pythonpython3.3.2
pythonpython3.3.3
pythonpython3.3.4
pythonpython3.3.5
pythonpython3.3.6
pythonpython3.4.0
pythonpython3.4.1
pythonpython3.4.2

References

CWEs

CWE-362

Verify integrity in audit chain (admin only). AS-IS.