Vulnerability Database
Blog
FAQ
Docs
arrow_forward
search
CVE-2019-10906
See a problem?
Please try reporting it
to the source
first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-10906
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10906.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-10906
Aliases
GHSA-462w-v97r-4m45
PYSEC-2019-217
Downstream
DEBIAN-CVE-2019-10906
RHSA-2019:1152
RHSA-2019:1237
RHSA-2019:1329
RHSA-2019:3172
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2019:1156-1
SUSE-SU-2019:1554-1
SUSE-SU-2020:3096-1
SUSE-SU-2020:3897-1
UBUNTU-CVE-2019-10906
USN-4011-1
USN-4011-2
openSUSE-SU-2019:1395-1
openSUSE-SU-2024:11208-1
openSUSE-SU-2024:13930-1
Related
MGASA-2019-0177
RLSA-2019:1152
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2019:1156-1
SUSE-SU-2019:1554-1
SUSE-SU-2020:3096-1
SUSE-SU-2020:3897-1
openSUSE-SU-2019:1395-1
openSUSE-SU-2024:11208-1
openSUSE-SU-2024:13930-1
Published
2019-04-07T00:29:00Z
Modified
2025-09-19T10:18:04.279912Z
Severity
8.6 (High)
CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Calculator
Summary
[none]
Details
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
References
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
https://access.redhat.com/errata/RHSA-2019:1152
https://access.redhat.com/errata/RHSA-2019:1237
https://access.redhat.com/errata/RHSA-2019:1329
https://palletsprojects.com/blog/jinja-2-10-1-released
https://usn.ubuntu.com/4011-1/
https://usn.ubuntu.com/4011-2/
https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f%40%3Cdevnull.infra.apache.org%3E
https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac%40%3Cdevnull.infra.apache.org%3E
https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df%40%3Cdevnull.infra.apache.org%3E
https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284%40%3Cdevnull.infra.apache.org%3E
https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316%40%3Ccommits.airflow.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/
Affected packages
Git
/
github.com/pallets/jinja
Affected ranges
Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
0
Unknown introduced commit / All previous commits are affected
Fixed
c4c4088945a2c12535f539be7f5453b9ca94666c
Affected versions
2.*
2.0
2.0rc1
2.1
2.1.1
2.10
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
CVE-2019-10906 - OSV