Back to search
CVE-2019-8341
Published: Feb 15, 2019
Modified: Aug 4, 2024
PUBLISHED
Description
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/JameelNabbo/Jinja2-Code-execution
x_refsource_MISC
46386
exploit
x_refsource_EXPLOIT-DB
openSUSE-SU-2019:1395
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2019:1614
vendor-advisory
x_refsource_SUSE
https://bugzilla.redhat.com/show_bug.cgi?id=1677653
x_refsource_MISC
https://bugzilla.suse.com/show_bug.cgi?id=1125815
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now