Fluid Attacks Database

Description

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	jinja2	=2.11.3-1 \|\| =2.11.3-1+deb11u1 \|\| =2.11.3-1+deb11u2 \|\| =2.11.3-1+deb11u3 \|\| =2.11.3-1+deb11u4 \|\| =3.0.1-1 \|\| =3.0.1-2 \|\| =3.0.3-1 \|\| =3.0.3-1~bpo11+1 \|\| =3.0.3-2 \|\| =3.1.2-1 \|\| =3.1.3-1 \|\| =3.1.3-1.1 \|\| =3.1.3-2 \|\| =3.1.5-1 \|\| =3.1.5-2 \|\| =3.1.6-1 \|\| =3.1.6-2
debian 12	jinja2	=3.1.2-1 \|\| =3.1.2-1+deb12u1 \|\| =3.1.2-1+deb12u2 \|\| =3.1.2-1+deb12u3 \|\| =3.1.3-1 \|\| =3.1.3-1.1 \|\| =3.1.3-2 \|\| =3.1.5-1 \|\| =3.1.5-2 \|\| =3.1.6-1 \|\| =3.1.6-2
debian 14	jinja2	=3.1.6-1 \|\| =3.1.6-2
pypi	jinja2	<0
debian 13	jinja2	=3.1.6-1 \|\| =3.1.6-2

Aliases

1. CVE-2019-83412. NVD-2019-83413. OSV-DEBIAN-2019-83414. OSV-2019-83415. GCVE-2019-83416. SECURITY-TRACKER-CVE-2019-8341

References

1. https://github.com/adindrabkin/llama_facts2. https://www.exploit-db.com/exploits/46386/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.