PT-2021-24142 · Unknown+1 · Stackstorm+1

Published

2021-12-15

Updated

2022-07-12

CVE-2021-44657

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: StackStorm versions prior to 3.6.0

Description: The issue arises from the jinja interpreter not being run in sandbox mode, allowing the execution of unsafe system commands. This is due to jinja not enabling sandboxed mode by default for backwards compatibility reasons. However, StackStorm now sets sandboxed mode for jinja by default.

Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to enable sandboxed mode for the jinja interpreter by default. As a temporary workaround, consider configuring the jinja interpreter to run in sandbox mode manually until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2021-44657

Affected Products

Stackstorm

Jinja

PT-2021-24142 · Unknown+1 · Stackstorm+1

CVE-2021-44657

Related Identifiers

Affected Products

References · 7