CVE-2019-8341

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-8341
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-8341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-8341
Related
Withdrawn
2019-08-06T14:51:25Z
Published
2019-02-15T07:29:00Z
Modified
2024-10-12T05:23:34.179446Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

References

Affected packages

Debian:11 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.11.3-1

3.*

3.0.1-1
3.0.1-2
3.0.3-1~bpo11+1
3.0.3-1
3.0.3-2
3.1.2-1
3.1.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-1
3.1.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-1
3.1.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/pallets/jinja

Affected ranges

Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

2.*

2.0
2.0rc1
2.1
2.1.1
2.10
2.10.1
2.10.2
2.10.3
2.10.x
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.x