PT-2024-9991 · Jinja+11 · Jinja+11
Lydxn
·
Published
2024-12-20
·
Updated
2026-06-03
·
CVE-2024-56326
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jinja versions prior to 3.1.5
Description
Jinja is an extensible templating engine. An oversight in how the Jinja sandboxed environment detects calls to
str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the issue, an attacker needs to control the content of a template, which depends on the type of application using Jinja. This affects users of applications that execute untrusted templates. Jinja's sandbox catches calls to str.format but does not prevent storing a reference to a malicious string's format method and passing it to a filter that calls it. Custom filters in an application could be used to exploit this.Recommendations
For versions prior to 3.1.5, update to version 3.1.5 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of custom filters in applications that execute untrusted templates.
Exploit
Fix
DoS
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Jinja
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu