CVE-2024-56201 – jinja2

Package

Manager: pip
Name: jinja2
Vulnerable Version: >=3.0.0 <3.1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00022 pctl0.04284

Details

Jinja has a sandbox breakout through malicious filenames A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

Metadata

Created: 2024-12-23T17:54:12Z
Modified: 2025-01-08T16:06:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-gmj6-6f8f-6699/GHSA-gmj6-6f8f-6699.json
CWE IDs: ["CWE-150"]
Alternative ID: GHSA-gmj6-6f8f-6699
Finding: F111
Auto approve: 1