Description
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
Remediation
References
Related Vulnerabilities
Drupal Core 4.7.x Security Bypass (4.7.0 - 4.7.7)
WordPress Plugin CP Contact Form with PayPal Multiple Vulnerabilities (1.1.5)
Oracle Application Server Other Vulnerability (CVE-2007-0281)
Chamilo Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2018-1999019)
IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3050)