USN-7343-2

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-7343-2

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7343-2.json

JSON Data

https://api.osv.dev/v1/vulns/USN-7343-2

Published

2025-03-12T19:30:54.945208Z

Modified

2025-03-12T19:30:54.945208Z

Summary

jinja2 regression

Details

USN-7343-1 fixed vulnerabilities in Jinja2. The update introduced a regression when attempting to import Jinja2 on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Rafal Krupinski discovered that Jinja2 did not properly restrict the execution of code in situations where templates are used maliciously. An attacker with control over a template's filename and content could potentially use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56201)

It was discovered that Jinja2 sandboxed environments could be escaped through a call to a string format method. An attacker could possibly use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56326)

It was discovered that Jinja2 sandboxed environments could be escaped through the malicious use of certain filters. An attacker could possibly use this issue to enable the execution of arbitrary code. (CVE-2025-27516)

References

Affected packages

Ubuntu:Pro:18.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.10-1ubuntu0.18.04.1+esm5?arch=source&distro=esm-infra/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10-1ubuntu0.18.04.1+esm5

Affected versions

2.*

2.9.6-1

2.10-1

2.10-1ubuntu0.18.04.1

2.10-1ubuntu0.18.04.1+esm1

2.10-1ubuntu0.18.04.1+esm2

2.10-1ubuntu0.18.04.1+esm3

2.10-1ubuntu0.18.04.1+esm4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm5",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm5",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.10-1ubuntu0.18.04.1+esm5",
            "binary_name": "python3-jinja2"
        }
    ]
}

Ubuntu:20.04:LTS / jinja2

Package

Name: jinja2
Purl: pkg:deb/ubuntu/jinja2@2.10.1-2ubuntu0.6?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.1-2ubuntu0.6

Affected versions

2.*

2.10-2ubuntu1

2.10-2ubuntu2

2.10.1-1ubuntu1

2.10.1-2

2.10.1-2ubuntu0.2

2.10.1-2ubuntu0.3

2.10.1-2ubuntu0.4

2.10.1-2ubuntu0.5

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.10.1-2ubuntu0.6",
            "binary_name": "python-jinja2"
        },
        {
            "binary_version": "2.10.1-2ubuntu0.6",
            "binary_name": "python-jinja2-doc"
        },
        {
            "binary_version": "2.10.1-2ubuntu0.6",
            "binary_name": "python3-jinja2"
        }
    ]
}