GHSA-462w-v97r-4m45

Source

https://github.com/advisories/GHSA-462w-v97r-4m45

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-462w-v97r-4m45/GHSA-462w-v97r-4m45.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-462w-v97r-4m45

Aliases

Published

2019-04-10T14:30:24Z

Modified

2024-09-24T21:03:59.802687Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Jinja2 sandbox escape via string formatting

Details

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.format_map method could be used to escape the sandbox.

This issue was previously addressed for the str.format method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common str.format_map method was overlooked. This release applies the same sandboxing to both methods.

If you cannot upgrade Jinja, you can override the is_safe_attribute method on the sandbox and explicitly disallow the format_map method on string objects.

Database specific

{
    "nvd_published_at": "2019-04-07T00:29:00Z",
    "cwe_ids": [
        "CWE-693"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:35Z"
}

References

Affected packages

PyPI / jinja2

Package

Name: jinja2; View open source insights on deps.dev
Purl: pkg:pypi/jinja2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.1

Affected versions

2.*

2.0rc1

2.0

2.1

2.1.1

2.2

2.2.1

2.3

2.3.1

2.4

2.4.1

2.5

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6

2.7

2.7.1

2.7.2

2.7.3

2.8

2.8.1

2.9

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.10