CVE-2019-8341

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-8341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-8341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-8341
Downstream
Related
Withdrawn
2019-08-06T14:51:25Z
Published
2019-02-15T07:29:00Z
Modified
2025-08-26T06:28:51.318747Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

References

Affected packages

Debian:11 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.11.3-1
2.11.3-1+deb11u1
2.11.3-1+deb11u2
2.11.3-1+deb11u3
2.11.3-1+deb11u4

3.*

3.0.1-1
3.0.1-2
3.0.3-1~bpo11+1
3.0.3-1
3.0.3-2
3.1.2-1
3.1.3-1
3.1.3-1.1
3.1.3-2
3.1.5-1
3.1.5-2
3.1.6-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:12 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-1
3.1.2-1+deb12u1
3.1.2-1+deb12u2
3.1.2-1+deb12u3
3.1.3-1
3.1.3-1.1
3.1.3-2
3.1.5-1
3.1.5-2
3.1.6-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:13 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.6-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:14 / jinja2

Package

Name
jinja2
Purl
pkg:deb/debian/jinja2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.6-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Git / github.com/pallets/jinja

Affected ranges

Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7c3b7ca95cb17589dd64fddc957035336180b90d

Affected versions

2.*

2.0
2.0rc1
2.1
2.1.1
2.10
2.10.1
2.10.2
2.10.3
2.10.x
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.x