Your submission was sent successfully! Close

CVE-2019-8341

Published: 15 February 2019

** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
jinja2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Ignored
(rejected by upstream)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(rejected by upstream)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(rejected by upstream)

Notes

AuthorNote
leosilva
further discussions about this CVE says it's a
invalid one. A reject was already sent to MITRE.

References