ALT-PU-2019-2664-2
Package python-module-jinja2 updated to version 2.10.1-alt1 for branch sisyphus in task 237301.
Closed vulnerabilities
Published: 2019-02-15
BDU:2019-01179
Уязвимость функции from_string шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
Severity: HIGH (8.2)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References:
Published: 2019-04-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-10906
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Severity: HIGH (8.6)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1614
- openSUSE-SU-2019:1614
- RHSA-2019:1152
- RHSA-2019:1152
- RHSA-2019:1237
- RHSA-2019:1237
- RHSA-2019:1329
- RHSA-2019:1329
- [infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- FEDORA-2019-e41e19457b
- FEDORA-2019-e41e19457b
- FEDORA-2019-4f978cacb4
- FEDORA-2019-4f978cacb4
- FEDORA-2019-04a42e480b
- FEDORA-2019-04a42e480b
- https://palletsprojects.com/blog/jinja-2-10-1-released
- https://palletsprojects.com/blog/jinja-2-10-1-released
- USN-4011-1
- USN-4011-1
- USN-4011-2
- USN-4011-2
Published: 2019-02-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-8341
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1614
- https://bugzilla.redhat.com/show_bug.cgi?id=1677653
- https://bugzilla.suse.com/show_bug.cgi?id=1125815
- https://github.com/JameelNabbo/Jinja2-Code-execution
- 46386
- openSUSE-SU-2019:1395
- 46386
- https://github.com/JameelNabbo/Jinja2-Code-execution
- https://bugzilla.suse.com/show_bug.cgi?id=1125815
- https://bugzilla.redhat.com/show_bug.cgi?id=1677653
- openSUSE-SU-2019:1614