PT-2023-9827 · Jinja+10 · Jinja+10
Sleiner
·
Publicado
2023-01-16
·
Atualizado
2026-06-03
·
CVE-2024-56201
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jinja versions prior to 3.1.5
Description
Jinja is an extensible templating engine. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the issue, an attacker needs to control both the filename and the contents of a template. This impacts users of applications which execute untrusted templates where the template author can also choose the template filename.
Recommendations
For versions prior to 3.1.5, update to version 3.1.5 to resolve the issue. As a temporary workaround, consider restricting the ability of template authors to choose the template filename to minimize the risk of exploitation. Avoid using untrusted templates where the template author can control both the filename and the contents.
Exploit
Correção
DoS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Almalinux
Astra Linux
Debian
Jinja
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu