GHSA-8r7q-cvjq-x353

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r7q-cvjq-x353/GHSA-8r7q-cvjq-x353.json
Aliases
Published
2022-05-14T04:04:14Z
Modified
2022-09-21T03:36:44.117160Z
Details

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with _jinja2 in /tmp.

References

Affected packages

PyPI / jinja2

jinja2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
2.7.2

Affected versions

2.*

2.0
2.0rc1
2.1
2.1.1
2.2
2.2.1
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6
2.7
2.7.1