ALT-PU-2024-3036-5 — python3-module-jinja2

BDU:2019-01179

HIGH8.2

Уязвимость функции from_string шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Опубликовано: 2019-03-27Изменено: 2021-03-23

CVSS 3.xВЫСОКАЯ 8.2

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS 2.0ВЫСОКАЯ 8.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:C/A:N

Ссылки

BDU:2024-00884

MEDIUM6.1

Уязвимость фильтра xmlattr шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Опубликовано: 2024-02-02Изменено: 2025-04-08

CVSS 3.xСРЕДНЯЯ 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0СРЕДНЯЯ 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

Ссылки

CVE-2024-22195

CVE-2014-0012

MEDIUM4.4

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

Опубликовано: 2014-05-19Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 4.4

CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P

Ссылки

CVE-2014-1402

MEDIUM4.4

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

Опубликовано: 2014-05-19Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 4.4

CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P

Ссылки

CVE-2019-8341

CRITICAL9.8

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Опубликовано: 2019-02-15Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2024-22195

MEDIUM6.1

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Опубликовано: 2024-01-11Изменено: 2025-11-03

CVSS 3.xСРЕДНЯЯ 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ссылки

Обновление пакета python3-module-jinja2 в ветке p10

Закрытые проблемы (6)

Уязвимость фильтра xmlattr шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.