CVE-2019-8341

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jinja2 version 2.10

Description An issue was discovered in the from string function of Jinja2, which is prone to Server Side Template Injection (SSTI). The function takes the source parameter as a template object, renders it, and then returns it. An attacker can exploit this issue by using {{INJECTION COMMANDS}} in a URI. It is noted that the maintainer and multiple third parties believe this vulnerability is not valid because users should not use untrusted templates without sandboxing.

Recommendations For Jinja2 version 2.10, as a temporary workaround, consider disabling the from string function until a patch is available or ensure that all templates used with this function are trusted and sandboxed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Code Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-77

Related Identifiers

ALT-PU-2019-2664

ALT-PU-2020-3106

ALT-PU-2024-3036

BDU:2019-01179

CVE-2019-8341

ECHO-A30C-A3E1-79BF

OPENSUSE-SU-2019:1395-1

OPENSUSE-SU-2019_1395-1

OPENSUSE-SU-2019_1614-1

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-SU-2019:1156-1

SUSE-SU-2019:1554-1

SUSE-SU-2020:3096-1

SUSE-SU-2020:3897-1

Affected Products

Alt Linux

Debian

Jinja2

Suse

CVE-2019-8341

Weakness Enumeration

Related Identifiers

Affected Products

References · 41