ALT-PU-2020-3106-2
Package python-module-jinja2 updated to version 2.11.2-alt1 for branch p9 in task 254838.
Closed vulnerabilities
Published: 2019-02-15
BDU:2019-01179
Уязвимость функции from_string шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
Severity: HIGH (8.2)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References:
Published: 2014-05-19
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-0012
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
Severity: MEDIUM (4.4)
References:
- [oss-security] 20140110 CVE assignment for jinja2
- [oss-security] 20140110 CVE assignment for jinja2
- 56328
- 56328
- 60738
- 60738
- GLSA-201408-13
- GLSA-201408-13
- https://bugzilla.redhat.com/show_bug.cgi?id=1051421
- https://bugzilla.redhat.com/show_bug.cgi?id=1051421
- https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
- https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
- https://github.com/mitsuhiko/jinja2/pull/292
- https://github.com/mitsuhiko/jinja2/pull/292
- https://github.com/mitsuhiko/jinja2/pull/296
- https://github.com/mitsuhiko/jinja2/pull/296
Published: 2014-05-19
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-1402
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
Severity: MEDIUM (4.4)
References:
- http://advisories.mageia.org/MGASA-2014-0028.html
- http://advisories.mageia.org/MGASA-2014-0028.html
- http://jinja.pocoo.org/docs/changelog/
- http://jinja.pocoo.org/docs/changelog/
- [oss-security] 20140110 CVE Request: python-jinja2: arbitrary code execution vulnerability
- [oss-security] 20140110 CVE Request: python-jinja2: arbitrary code execution vulnerability
- [oss-security] 20140110 Re: CVE Request: python-jinja2: arbitrary code execution vulnerability
- [oss-security] 20140110 Re: CVE Request: python-jinja2: arbitrary code execution vulnerability
- RHSA-2014:0747
- RHSA-2014:0747
- RHSA-2014:0748
- RHSA-2014:0748
- 56287
- 56287
- 58783
- 58783
- 58918
- 58918
- 59017
- 59017
- 60738
- 60738
- 60770
- 60770
- GLSA-201408-13
- GLSA-201408-13
- MDVSA-2014:096
- MDVSA-2014:096
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
- https://bugzilla.redhat.com/show_bug.cgi?id=1051421
- https://bugzilla.redhat.com/show_bug.cgi?id=1051421
- [El-errata] 20140611 Oracle Linux Security Advisory ELSA-2014-0747
- [El-errata] 20140611 Oracle Linux Security Advisory ELSA-2014-0747
Published: 2019-04-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-10906
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Severity: HIGH (8.6)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1614
- openSUSE-SU-2019:1614
- RHSA-2019:1152
- RHSA-2019:1152
- RHSA-2019:1237
- RHSA-2019:1237
- RHSA-2019:1329
- RHSA-2019:1329
- [infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- [airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906
- FEDORA-2019-e41e19457b
- FEDORA-2019-e41e19457b
- FEDORA-2019-4f978cacb4
- FEDORA-2019-4f978cacb4
- FEDORA-2019-04a42e480b
- FEDORA-2019-04a42e480b
- https://palletsprojects.com/blog/jinja-2-10-1-released
- https://palletsprojects.com/blog/jinja-2-10-1-released
- USN-4011-1
- USN-4011-1
- USN-4011-2
- USN-4011-2
Published: 2019-02-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-8341
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2019:1395
- openSUSE-SU-2019:1614
- https://bugzilla.redhat.com/show_bug.cgi?id=1677653
- https://bugzilla.suse.com/show_bug.cgi?id=1125815
- https://github.com/JameelNabbo/Jinja2-Code-execution
- 46386
- openSUSE-SU-2019:1395
- 46386
- https://github.com/JameelNabbo/Jinja2-Code-execution
- https://bugzilla.suse.com/show_bug.cgi?id=1125815
- https://bugzilla.redhat.com/show_bug.cgi?id=1677653
- openSUSE-SU-2019:1614