ALT Linux Team

Package python-module-jinja2 update in sisyphus on 2019-09-09

ALT-PU-2019-2664-2

Package python-module-jinja2 updated to version 2.10.1-alt1 for branch sisyphus in task 237301.

Closed vulnerabilities

Published: 2019-02-15

BDU:2019-01179

Уязвимость функции from_string шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Severity: HIGH (8.2) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Severity: HIGH (8.5) Vector: AV:N/AC:L/Au:N/C:P/I:C/A:N
References:
Published: 2019-04-07
Modified: 2024-11-21

CVE-2019-10906

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Severity: HIGH (8.6) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:
Published: 2019-02-15
Modified: 2024-11-21

CVE-2019-8341

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Severity: HIGH (7.5) Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top