Vulnerability Database
Blog
FAQ
Docs
GHSA-hj2j-77xm-mc5v
Suggest an improvement
Source
https://github.com/advisories/GHSA-hj2j-77xm-mc5v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-hj2j-77xm-mc5v/GHSA-hj2j-77xm-mc5v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hj2j-77xm-mc5v
Aliases
CVE-2016-10745
PYSEC-2019-220
Published
2019-04-10T14:30:13Z
Modified
2024-09-24T21:13:19.203972Z
Severity
8.6 (High)
CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Calculator
7.7 (High)
CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Calculator
Summary
Jinja2 sandbox escape vulnerability
Details
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-10745
https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
https://access.redhat.com/errata/RHSA-2019:1022
https://access.redhat.com/errata/RHSA-2019:1237
https://access.redhat.com/errata/RHSA-2019:1260
https://access.redhat.com/errata/RHSA-2019:3964
https://access.redhat.com/errata/RHSA-2019:4062
https://github.com/advisories/GHSA-hj2j-77xm-mc5v
https://github.com/pallets/jinja
https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2019-220.yaml
https://palletsprojects.com/blog/jinja-281-released
https://usn.ubuntu.com/4011-1
https://usn.ubuntu.com/4011-2
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
Affected packages
PyPI
/
jinja2
Package
Name
jinja2
View open source insights on deps.dev
Purl
pkg:pypi/jinja2
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
2.8.1
Affected versions
2.*
2.0rc1
2.0
2.1
2.1.1
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
GHSA-hj2j-77xm-mc5v - OSV