logo

Database

Lack of data validation In jinja2

Description

Jinja2 sandbox escape vulnerability In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2016-107452. NVD-2016-107453. OSV-2016-107454. OSV-DEBIAN-2016-107455. GHSA-hj2j-77xm-mc5v6. GCVE-2016-107457. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. SECURITY-TRACKER-CVE-2016-10745

References

1. https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed162. https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2019-220.yaml3. https://palletsprojects.com/blog/jinja-281-released4. https://usn.ubuntu.com/4011-15. https://usn.ubuntu.com/4011-26. http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html7. http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.