Sisp

**Name of the Vulnerable Software and Affected Versions** Copier versions prior to 9.11.2 **Description** Copier, a library and CLI app for rendering project templates, exhibited a flaw where it incorrectly identified templates as safe, even if they contained arbitrary files and directories outside the local template clone location. This was possible through the use of symlinks combined with the default setting of ` preserve symlinks: false`. The application suggested that projects generated from safe templates did not require the `--UNSAFE,--trust` flag, but this was not accurate. **Recommendations** Update to version 9.11.2 or later.

Name of the Vulnerable Software and Affected Versions: Copier versions prior to 9.9.1 Description: Copier exposes `pathlib.Path` objects in the Jinja context with unconstrained I/O methods, allowing a safe template to read and write arbitrary files. This renders the security model regarding filesystem access ineffective. Recommendations: Update to version 9.9.1.

Name of the Vulnerable Software and Affected Versions: Copier versions 7.1.0 through 9.9.0 Description: Copier, a library and CLI application for rendering project templates, allows for the potential to write files outside the intended destination path when rendering a generated directory structure using relative parent paths or absolute paths. This is possible through the use of the `pathjoin` Jinja filter and the ` copier conf.sep` variable, enabling a malicious template author to overwrite arbitrary files based on the user's write permissions. Recommendations: Update to Copier version 9.9.1 or later.