Vulnerability Database
Blog
FAQ
Docs
CVE-2016-10745
See a problem?
Please try reporting it
to the source
first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-10745
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10745.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-10745
Aliases
GHSA-hj2j-77xm-mc5v
PYSEC-2019-220
Related
RHSA-2019:1022
RHSA-2019:1237
RHSA-2019:1260
RHSA-2019:3172
RHSA-2019:3964
RHSA-2019:4062
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2019:1156-1
SUSE-SU-2019:1323-1
SUSE-SU-2019:1554-1
SUSE-SU-2020:3897-1
UBUNTU-CVE-2016-10745
USN-4011-1
USN-4011-2
openSUSE-SU-2019:1395-1
openSUSE-SU-2024:11208-1
openSUSE-SU-2024:13930-1
Published
2019-04-08T13:29:00Z
Modified
2024-09-18T02:17:58.784419Z
Severity
8.6 (High)
CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Calculator
Summary
[none]
Details
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
References
https://access.redhat.com/errata/RHSA-2019:1022
https://access.redhat.com/errata/RHSA-2019:1237
https://access.redhat.com/errata/RHSA-2019:1260
https://access.redhat.com/errata/RHSA-2019:3964
https://access.redhat.com/errata/RHSA-2019:4062
https://palletsprojects.com/blog/jinja-281-released/
https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
https://usn.ubuntu.com/4011-1/
https://usn.ubuntu.com/4011-2/
https://security-tracker.debian.org/tracker/CVE-2016-10745
Affected packages
Debian:11
/
jinja2
Package
Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
2.9.4-1
Ecosystem specific
{ "urgency": "not yet assigned" }
Debian:12
/
jinja2
Package
Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
2.9.4-1
Ecosystem specific
{ "urgency": "not yet assigned" }
Debian:13
/
jinja2
Package
Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
2.9.4-1
Ecosystem specific
{ "urgency": "not yet assigned" }
Git
/
github.com/pallets/jinja
Affected ranges
Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
0
Unknown introduced commit / All previous commits are affected
Fixed
9b53045c34e61013dc8f09b7e52a555fa16bed16
Affected versions
2.*
2.0
2.0rc1
2.1
2.1.1
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
CVE-2016-10745 - OSV