CVE-2024-56201

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56201
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56201.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56201
Aliases
Downstream
Related
Published
2024-12-23T15:37:36Z
Modified
2025-10-22T18:45:22.308380Z
Severity
  • 5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Jinja has a sandbox breakout through malicious filenames
Details

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

Database specific 
{
    "cwe_ids": [
        "CWE-150"
    ]
}
References

Affected packages

Git / github.com/pallets/jinja

Affected ranges

Type
GIT
Repo
https://github.com/pallets/jinja
Events
Introduced
417f822196f66155e8c121e5229cc12a6b02ce14
Fixed
877f6e51be8e1765b06d911cfaa9033775f051d1

Affected versions

2.*

2.10.x
2.11.x
2.9.x

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.x
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4