CVE-2019-10906 – jinja2

Package

Manager: pip
Name: jinja2
Vulnerable Version: >=0 <2.10.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.01473 pctl0.80207

Details

Jinja2 sandbox escape via string formatting In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox. This issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods. If you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.

Metadata

Created: 2019-04-10T14:30:24Z
Modified: 2024-09-24T20:49:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-462w-v97r-4m45/GHSA-462w-v97r-4m45.json
CWE IDs: ["CWE-693"]
Alternative ID: GHSA-462w-v97r-4m45
Finding: F115
Auto approve: 1