CVE-2019-8341

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-8341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-8341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-8341
Downstream
Related
Published
2019-02-15T07:29:00Z
Modified
2025-09-24T09:49:45.225209Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Database specific
{
    "isDisputed": true
}
References

Affected packages

Git / github.com/pallets/jinja

Affected ranges

Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

2.*

2.0
2.0rc1
2.1
2.1.1
2.10
2.10.1
2.10.2
2.10.3
2.10.x
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.8
2.8.1
2.9
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.x