Download
| Alert*
|
oval:org.secpod.oval:def:2000395
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. oval:org.secpod.oval:def:1901285 An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. oval:org.secpod.oval:def:2104978 In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. oval:org.secpod.oval:def:89050830 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string . - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format . |
