USN-7343-1

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-7343-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7343-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-7343-1

Related

Published

2025-03-11T17:25:01.982022Z

Modified

2025-03-11T17:25:01.982022Z

Summary

jinja2 vulnerabilities

Details

Rafal Krupinski discovered that Jinja2 did not properly restrict the execution of code in situations where templates are used maliciously. An attacker with control over a template's filename and content could potentially use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56201)

It was discovered that Jinja2 sandboxed environments could be escaped through a call to a string format method. An attacker could possibly use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56326)

It was discovered that Jinja2 sandboxed environments could be escaped through the malicious use of certain filters. An attacker could possibly use this issue to enable the execution of arbitrary code. (CVE-2025-27516)

References

Affected packages

Ubuntu:Pro:14.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.7.2-2ubuntu0.1~esm6?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.2-2ubuntu0.1~esm6

Affected versions

2.*

2.7-3

2.7.1-1

2.7.2-1

2.7.2-2

2.7.2-2ubuntu0.1~esm1

2.7.2-2ubuntu0.1~esm2

2.7.2-2ubuntu0.1~esm3

2.7.2-2ubuntu0.1~esm4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.7.2-2ubuntu0.1~esm6",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.7.2-2ubuntu0.1~esm6",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.7.2-2ubuntu0.1~esm6",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.8-1ubuntu0.1+esm5?arch=source&distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8-1ubuntu0.1+esm5

Affected versions

2.*

2.8-1

2.8-1ubuntu0.1

2.8-1ubuntu0.1+esm1

2.8-1ubuntu0.1+esm2

2.8-1ubuntu0.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.8-1ubuntu0.1+esm5",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.8-1ubuntu0.1+esm5",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.8-1ubuntu0.1+esm5",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.10-1ubuntu0.18.04.1+esm4?arch=source&distro=esm-infra/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10-1ubuntu0.18.04.1+esm4

Affected versions

2.*

2.9.6-1

2.10-1

2.10-1ubuntu0.18.04.1

2.10-1ubuntu0.18.04.1+esm1

2.10-1ubuntu0.18.04.1+esm2

2.10-1ubuntu0.18.04.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm4",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm4",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm4",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:20.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.10.1-2ubuntu0.5?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.1-2ubuntu0.5

Affected versions

2.*

2.10-2ubuntu1

2.10-2ubuntu2

2.10.1-1ubuntu1

2.10.1-2

2.10.1-2ubuntu0.2

2.10.1-2ubuntu0.3

2.10.1-2ubuntu0.4

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.10.1-2ubuntu0.5",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.10.1-2ubuntu0.5",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.10.1-2ubuntu0.5",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:22.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@3.0.3-1ubuntu0.4?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.3-1ubuntu0.4

Affected versions

2.*

2.11.3-1

3.*

3.0.1-2

3.0.3-1

3.0.3-1ubuntu0.1

3.0.3-1ubuntu0.2

3.0.3-1ubuntu0.3

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.0.3-1ubuntu0.4",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "3.0.3-1ubuntu0.4",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:24.10 / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@3.1.3-1ubuntu1.24.10.2?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.3-1ubuntu1.24.10.2

Affected versions

3.*

3.1.2-1ubuntu1

3.1.3-1

3.1.3-1ubuntu1

3.1.3-1ubuntu1.24.10.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.1.3-1ubuntu1.24.10.2",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "3.1.3-1ubuntu1.24.10.2",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:24.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@3.1.2-1ubuntu1.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.2-1ubuntu1.3

Affected versions

3.*

3.1.2-1

3.1.2-1ubuntu1

3.1.2-1ubuntu1.1

3.1.2-1ubuntu1.2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.1.2-1ubuntu1.3",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "3.1.2-1ubuntu1.3",
            "binary_name": "python3-jinja2"
        }
    ]
}