Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-0012 (GCVE-0-2014-0012)
Vulnerability from cvelistv5
Published
2014-05-19 14:00
Modified
2024-08-06 08:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"name": "56328",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56328"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"name": "60738",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"name": "GLSA-201408-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"name": "[oss-security] 20140110 CVE assignment for jinja2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q1/73"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-09-12T12:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"name": "56328",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56328"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"name": "60738",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"name": "GLSA-201408-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"name": "[oss-security] 20140110 CVE assignment for jinja2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q1/73"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0012",
"datePublished": "2014-05-19T14:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T08:58:26.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2014-0012\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-05-19T14:55:10.330\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.\"},{\"lang\":\"es\",\"value\":\"FileSystemBytecodeCache en Jinja2 2.7.2 no crea debidamente directorios temporales, lo que permite a usuarios locales ganar privilegios mediante la previa creaci\u00f3n de un directorio temporal con el identificador de un usuario. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para CVE-2014-1402.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pocoo:jinja2:2.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E22D331-9917-4E29-9FDD-4907337D7948\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/oss-sec/2014/q1/73\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/56328\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/60738\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1051421\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/mitsuhiko/jinja2/pull/292\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/mitsuhiko/jinja2/pull/296\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://seclists.org/oss-sec/2014/q1/73\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/56328\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/60738\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1051421\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/mitsuhiko/jinja2/pull/292\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/mitsuhiko/jinja2/pull/296\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
opensuse-su-2024:10129-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python-Jinja2-2.8-1.4 on GA media
Notes
Title of the patch
python-Jinja2-2.8-1.4 on GA media
Description of the patch
These are all security issues fixed in the python-Jinja2-2.8-1.4 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10129
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python-Jinja2-2.8-1.4 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python-Jinja2-2.8-1.4 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10129",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10129-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-0012 page",
"url": "https://www.suse.com/security/cve/CVE-2014-0012/"
}
],
"title": "python-Jinja2-2.8-1.4 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10129-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.8-1.4.aarch64",
"product": {
"name": "python-Jinja2-2.8-1.4.aarch64",
"product_id": "python-Jinja2-2.8-1.4.aarch64"
}
},
{
"category": "product_version",
"name": "python-Jinja2-emacs-2.8-1.4.aarch64",
"product": {
"name": "python-Jinja2-emacs-2.8-1.4.aarch64",
"product_id": "python-Jinja2-emacs-2.8-1.4.aarch64"
}
},
{
"category": "product_version",
"name": "python-Jinja2-vim-2.8-1.4.aarch64",
"product": {
"name": "python-Jinja2-vim-2.8-1.4.aarch64",
"product_id": "python-Jinja2-vim-2.8-1.4.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.8-1.4.ppc64le",
"product": {
"name": "python-Jinja2-2.8-1.4.ppc64le",
"product_id": "python-Jinja2-2.8-1.4.ppc64le"
}
},
{
"category": "product_version",
"name": "python-Jinja2-emacs-2.8-1.4.ppc64le",
"product": {
"name": "python-Jinja2-emacs-2.8-1.4.ppc64le",
"product_id": "python-Jinja2-emacs-2.8-1.4.ppc64le"
}
},
{
"category": "product_version",
"name": "python-Jinja2-vim-2.8-1.4.ppc64le",
"product": {
"name": "python-Jinja2-vim-2.8-1.4.ppc64le",
"product_id": "python-Jinja2-vim-2.8-1.4.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.8-1.4.s390x",
"product": {
"name": "python-Jinja2-2.8-1.4.s390x",
"product_id": "python-Jinja2-2.8-1.4.s390x"
}
},
{
"category": "product_version",
"name": "python-Jinja2-emacs-2.8-1.4.s390x",
"product": {
"name": "python-Jinja2-emacs-2.8-1.4.s390x",
"product_id": "python-Jinja2-emacs-2.8-1.4.s390x"
}
},
{
"category": "product_version",
"name": "python-Jinja2-vim-2.8-1.4.s390x",
"product": {
"name": "python-Jinja2-vim-2.8-1.4.s390x",
"product_id": "python-Jinja2-vim-2.8-1.4.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.8-1.4.x86_64",
"product": {
"name": "python-Jinja2-2.8-1.4.x86_64",
"product_id": "python-Jinja2-2.8-1.4.x86_64"
}
},
{
"category": "product_version",
"name": "python-Jinja2-emacs-2.8-1.4.x86_64",
"product": {
"name": "python-Jinja2-emacs-2.8-1.4.x86_64",
"product_id": "python-Jinja2-emacs-2.8-1.4.x86_64"
}
},
{
"category": "product_version",
"name": "python-Jinja2-vim-2.8-1.4.x86_64",
"product": {
"name": "python-Jinja2-vim-2.8-1.4.x86_64",
"product_id": "python-Jinja2-vim-2.8-1.4.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.8-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-2.8-1.4.aarch64"
},
"product_reference": "python-Jinja2-2.8-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.8-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-2.8-1.4.ppc64le"
},
"product_reference": "python-Jinja2-2.8-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.8-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-2.8-1.4.s390x"
},
"product_reference": "python-Jinja2-2.8-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.8-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-2.8-1.4.x86_64"
},
"product_reference": "python-Jinja2-2.8-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-emacs-2.8-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.aarch64"
},
"product_reference": "python-Jinja2-emacs-2.8-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-emacs-2.8-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.ppc64le"
},
"product_reference": "python-Jinja2-emacs-2.8-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-emacs-2.8-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.s390x"
},
"product_reference": "python-Jinja2-emacs-2.8-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-emacs-2.8-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.x86_64"
},
"product_reference": "python-Jinja2-emacs-2.8-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-vim-2.8-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.aarch64"
},
"product_reference": "python-Jinja2-vim-2.8-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-vim-2.8-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.ppc64le"
},
"product_reference": "python-Jinja2-vim-2.8-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-vim-2.8-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.s390x"
},
"product_reference": "python-Jinja2-vim-2.8-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-vim-2.8-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.x86_64"
},
"product_reference": "python-Jinja2-vim-2.8-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-0012"
}
],
"notes": [
{
"category": "general",
"text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.x86_64",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.x86_64",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-0012",
"url": "https://www.suse.com/security/cve/CVE-2014-0012"
},
{
"category": "external",
"summary": "SUSE Bug 858239 for CVE-2014-0012",
"url": "https://bugzilla.suse.com/858239"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-2.8-1.4.x86_64",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-emacs-2.8-1.4.x86_64",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.aarch64",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.ppc64le",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.s390x",
"openSUSE Tumbleweed:python-Jinja2-vim-2.8-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2014-0012"
}
]
}
opensuse-su-2024:13930-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python310-Jinja2-3.1.4-1.1 on GA media
Notes
Title of the patch
python310-Jinja2-3.1.4-1.1 on GA media
Description of the patch
These are all security issues fixed in the python310-Jinja2-3.1.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13930
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-Jinja2-3.1.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-Jinja2-3.1.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13930",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13930-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-0012 page",
"url": "https://www.suse.com/security/cve/CVE-2014-0012/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-10745 page",
"url": "https://www.suse.com/security/cve/CVE-2016-10745/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-10906 page",
"url": "https://www.suse.com/security/cve/CVE-2019-10906/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-28493 page",
"url": "https://www.suse.com/security/cve/CVE-2020-28493/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-34064 page",
"url": "https://www.suse.com/security/cve/CVE-2024-34064/"
}
],
"title": "python310-Jinja2-3.1.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13930-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-Jinja2-3.1.4-1.1.aarch64",
"product": {
"name": "python310-Jinja2-3.1.4-1.1.aarch64",
"product_id": "python310-Jinja2-3.1.4-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-Jinja2-3.1.4-1.1.aarch64",
"product": {
"name": "python311-Jinja2-3.1.4-1.1.aarch64",
"product_id": "python311-Jinja2-3.1.4-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-Jinja2-3.1.4-1.1.aarch64",
"product": {
"name": "python312-Jinja2-3.1.4-1.1.aarch64",
"product_id": "python312-Jinja2-3.1.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-Jinja2-3.1.4-1.1.ppc64le",
"product": {
"name": "python310-Jinja2-3.1.4-1.1.ppc64le",
"product_id": "python310-Jinja2-3.1.4-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-Jinja2-3.1.4-1.1.ppc64le",
"product": {
"name": "python311-Jinja2-3.1.4-1.1.ppc64le",
"product_id": "python311-Jinja2-3.1.4-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-Jinja2-3.1.4-1.1.ppc64le",
"product": {
"name": "python312-Jinja2-3.1.4-1.1.ppc64le",
"product_id": "python312-Jinja2-3.1.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-Jinja2-3.1.4-1.1.s390x",
"product": {
"name": "python310-Jinja2-3.1.4-1.1.s390x",
"product_id": "python310-Jinja2-3.1.4-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-Jinja2-3.1.4-1.1.s390x",
"product": {
"name": "python311-Jinja2-3.1.4-1.1.s390x",
"product_id": "python311-Jinja2-3.1.4-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-Jinja2-3.1.4-1.1.s390x",
"product": {
"name": "python312-Jinja2-3.1.4-1.1.s390x",
"product_id": "python312-Jinja2-3.1.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-Jinja2-3.1.4-1.1.x86_64",
"product": {
"name": "python310-Jinja2-3.1.4-1.1.x86_64",
"product_id": "python310-Jinja2-3.1.4-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-Jinja2-3.1.4-1.1.x86_64",
"product": {
"name": "python311-Jinja2-3.1.4-1.1.x86_64",
"product_id": "python311-Jinja2-3.1.4-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-Jinja2-3.1.4-1.1.x86_64",
"product": {
"name": "python312-Jinja2-3.1.4-1.1.x86_64",
"product_id": "python312-Jinja2-3.1.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-Jinja2-3.1.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64"
},
"product_reference": "python310-Jinja2-3.1.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-Jinja2-3.1.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le"
},
"product_reference": "python310-Jinja2-3.1.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-Jinja2-3.1.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x"
},
"product_reference": "python310-Jinja2-3.1.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-Jinja2-3.1.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64"
},
"product_reference": "python310-Jinja2-3.1.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Jinja2-3.1.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64"
},
"product_reference": "python311-Jinja2-3.1.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Jinja2-3.1.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le"
},
"product_reference": "python311-Jinja2-3.1.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Jinja2-3.1.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x"
},
"product_reference": "python311-Jinja2-3.1.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Jinja2-3.1.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64"
},
"product_reference": "python311-Jinja2-3.1.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Jinja2-3.1.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64"
},
"product_reference": "python312-Jinja2-3.1.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Jinja2-3.1.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le"
},
"product_reference": "python312-Jinja2-3.1.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Jinja2-3.1.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x"
},
"product_reference": "python312-Jinja2-3.1.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Jinja2-3.1.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
},
"product_reference": "python312-Jinja2-3.1.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-0012"
}
],
"notes": [
{
"category": "general",
"text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-0012",
"url": "https://www.suse.com/security/cve/CVE-2014-0012"
},
{
"category": "external",
"summary": "SUSE Bug 858239 for CVE-2014-0012",
"url": "https://bugzilla.suse.com/858239"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2014-0012"
},
{
"cve": "CVE-2016-10745",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-10745"
}
],
"notes": [
{
"category": "general",
"text": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-10745",
"url": "https://www.suse.com/security/cve/CVE-2016-10745"
},
{
"category": "external",
"summary": "SUSE Bug 1132174 for CVE-2016-10745",
"url": "https://bugzilla.suse.com/1132174"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2016-10745"
},
{
"cve": "CVE-2019-10906",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-10906"
}
],
"notes": [
{
"category": "general",
"text": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-10906",
"url": "https://www.suse.com/security/cve/CVE-2019-10906"
},
{
"category": "external",
"summary": "SUSE Bug 1132323 for CVE-2019-10906",
"url": "https://bugzilla.suse.com/1132323"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-10906"
},
{
"cve": "CVE-2020-28493",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-28493"
}
],
"notes": [
{
"category": "general",
"text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-28493",
"url": "https://www.suse.com/security/cve/CVE-2020-28493"
},
{
"category": "external",
"summary": "SUSE Bug 1181944 for CVE-2020-28493",
"url": "https://bugzilla.suse.com/1181944"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-28493"
},
{
"cve": "CVE-2024-34064",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-34064"
}
],
"notes": [
{
"category": "general",
"text": "Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-34064",
"url": "https://www.suse.com/security/cve/CVE-2024-34064"
},
{
"category": "external",
"summary": "SUSE Bug 1223980 for CVE-2024-34064",
"url": "https://bugzilla.suse.com/1223980"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python310-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python311-Jinja2-3.1.4-1.1.x86_64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.aarch64",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.s390x",
"openSUSE Tumbleweed:python312-Jinja2-3.1.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-34064"
}
]
}
opensuse-su-2024:11208-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python36-Jinja2-3.0.1-3.2 on GA media
Notes
Title of the patch
python36-Jinja2-3.0.1-3.2 on GA media
Description of the patch
These are all security issues fixed in the python36-Jinja2-3.0.1-3.2 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11208
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python36-Jinja2-3.0.1-3.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python36-Jinja2-3.0.1-3.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11208",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11208-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-0012 page",
"url": "https://www.suse.com/security/cve/CVE-2014-0012/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-10745 page",
"url": "https://www.suse.com/security/cve/CVE-2016-10745/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-10906 page",
"url": "https://www.suse.com/security/cve/CVE-2019-10906/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-28493 page",
"url": "https://www.suse.com/security/cve/CVE-2020-28493/"
}
],
"title": "python36-Jinja2-3.0.1-3.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11208-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python36-Jinja2-3.0.1-3.2.aarch64",
"product": {
"name": "python36-Jinja2-3.0.1-3.2.aarch64",
"product_id": "python36-Jinja2-3.0.1-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "python38-Jinja2-3.0.1-3.2.aarch64",
"product": {
"name": "python38-Jinja2-3.0.1-3.2.aarch64",
"product_id": "python38-Jinja2-3.0.1-3.2.aarch64"
}
},
{
"category": "product_version",
"name": "python39-Jinja2-3.0.1-3.2.aarch64",
"product": {
"name": "python39-Jinja2-3.0.1-3.2.aarch64",
"product_id": "python39-Jinja2-3.0.1-3.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-Jinja2-3.0.1-3.2.ppc64le",
"product": {
"name": "python36-Jinja2-3.0.1-3.2.ppc64le",
"product_id": "python36-Jinja2-3.0.1-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "python38-Jinja2-3.0.1-3.2.ppc64le",
"product": {
"name": "python38-Jinja2-3.0.1-3.2.ppc64le",
"product_id": "python38-Jinja2-3.0.1-3.2.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-Jinja2-3.0.1-3.2.ppc64le",
"product": {
"name": "python39-Jinja2-3.0.1-3.2.ppc64le",
"product_id": "python39-Jinja2-3.0.1-3.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-Jinja2-3.0.1-3.2.s390x",
"product": {
"name": "python36-Jinja2-3.0.1-3.2.s390x",
"product_id": "python36-Jinja2-3.0.1-3.2.s390x"
}
},
{
"category": "product_version",
"name": "python38-Jinja2-3.0.1-3.2.s390x",
"product": {
"name": "python38-Jinja2-3.0.1-3.2.s390x",
"product_id": "python38-Jinja2-3.0.1-3.2.s390x"
}
},
{
"category": "product_version",
"name": "python39-Jinja2-3.0.1-3.2.s390x",
"product": {
"name": "python39-Jinja2-3.0.1-3.2.s390x",
"product_id": "python39-Jinja2-3.0.1-3.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-Jinja2-3.0.1-3.2.x86_64",
"product": {
"name": "python36-Jinja2-3.0.1-3.2.x86_64",
"product_id": "python36-Jinja2-3.0.1-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "python38-Jinja2-3.0.1-3.2.x86_64",
"product": {
"name": "python38-Jinja2-3.0.1-3.2.x86_64",
"product_id": "python38-Jinja2-3.0.1-3.2.x86_64"
}
},
{
"category": "product_version",
"name": "python39-Jinja2-3.0.1-3.2.x86_64",
"product": {
"name": "python39-Jinja2-3.0.1-3.2.x86_64",
"product_id": "python39-Jinja2-3.0.1-3.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64"
},
"product_reference": "python36-Jinja2-3.0.1-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le"
},
"product_reference": "python36-Jinja2-3.0.1-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x"
},
"product_reference": "python36-Jinja2-3.0.1-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64"
},
"product_reference": "python36-Jinja2-3.0.1-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64"
},
"product_reference": "python38-Jinja2-3.0.1-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le"
},
"product_reference": "python38-Jinja2-3.0.1-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x"
},
"product_reference": "python38-Jinja2-3.0.1-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64"
},
"product_reference": "python38-Jinja2-3.0.1-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64"
},
"product_reference": "python39-Jinja2-3.0.1-3.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le"
},
"product_reference": "python39-Jinja2-3.0.1-3.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x"
},
"product_reference": "python39-Jinja2-3.0.1-3.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
},
"product_reference": "python39-Jinja2-3.0.1-3.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-0012"
}
],
"notes": [
{
"category": "general",
"text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-0012",
"url": "https://www.suse.com/security/cve/CVE-2014-0012"
},
{
"category": "external",
"summary": "SUSE Bug 858239 for CVE-2014-0012",
"url": "https://bugzilla.suse.com/858239"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2014-0012"
},
{
"cve": "CVE-2016-10745",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-10745"
}
],
"notes": [
{
"category": "general",
"text": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-10745",
"url": "https://www.suse.com/security/cve/CVE-2016-10745"
},
{
"category": "external",
"summary": "SUSE Bug 1132174 for CVE-2016-10745",
"url": "https://bugzilla.suse.com/1132174"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2016-10745"
},
{
"cve": "CVE-2019-10906",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-10906"
}
],
"notes": [
{
"category": "general",
"text": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-10906",
"url": "https://www.suse.com/security/cve/CVE-2019-10906"
},
{
"category": "external",
"summary": "SUSE Bug 1132323 for CVE-2019-10906",
"url": "https://bugzilla.suse.com/1132323"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-10906"
},
{
"cve": "CVE-2020-28493",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-28493"
}
],
"notes": [
{
"category": "general",
"text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-28493",
"url": "https://www.suse.com/security/cve/CVE-2020-28493"
},
{
"category": "external",
"summary": "SUSE Bug 1181944 for CVE-2020-28493",
"url": "https://bugzilla.suse.com/1181944"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
"openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-28493"
}
]
}
opensuse-su-2019:0244-1
Vulnerability from csaf_opensuse
Published
2019-02-25 17:32
Modified
2019-02-25 17:32
Summary
Security update for python-Jinja2
Notes
Title of the patch
Security update for python-Jinja2
Description of the patch
This update for python-Jinja2 fixes the following issues:
- Update to 2.8
- Added `target` parameter to urlize function.
- Added support for `followsymlinks` to the file system loader.
- The truncate filter now counts the length.
- Added equalto filter that helps with select filters.
- Changed cache keys to use absolute file names if available
instead of load names.
- Fixed loop length calculation for some iterators.
- Changed how Jinja2 enforces strings to be native strings in
Python 2 to work when people break their default encoding.
- Added :func:`make_logging_undefined` which returns an undefined
object that logs failures into a logger.
- If unmarshalling of cached data fails the template will be
reloaded now.
- Implemented a block ``set`` tag.
- Default cache size was incrased to 400 from a low 50.
- Fixed ``is number`` test to accept long integers in all Python versions.
- Changed ``is number`` to accept Decimal as a number.
- Added a check for default arguments followed by non-default arguments. This
change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a syntax error. The
previous behavior for this code was broken anyway (resulting in the default
value being applied to `y`).
- Add ability to use custom subclasses of ``jinja2.compiler.CodeGenerator`` and
``jinja2.runtime.Context`` by adding two new attributes to the environment
(`code_generator_class` and `context_class`) (pull request ``#404``).
- added support for context/environment/evalctx decorator functions on
the finalize callback of the environment.
- escape query strings for urlencode properly. Previously slashes were not
escaped in that place.
- Add 'base' parameter to 'int' filter.
- Tests are removed from the package (not distributed in the tar.gz)
- Use %python_version over %py_ver: better portability to RHEL
- run testsuite during build
- adjust dependency to use up to date package name for python-MarkupSafe
- Update to 2.7.3 (boo#858239, CVE-2014-0012)
- Security issue: Corrected the security fix for the cache folder.
This fix was provided by RedHat.
- fix package build (file selection missing)
- avoid rebuildcycle with vim
- update to 2.7.2:
- Prefix loader was not forwarding the locals properly to
inner loaders. This is now fixed.
- Security issue: Changed the default folder for the filesystem cache to be
user specific and read and write protected on UNIX systems. See `Debian bug
734747`_ for more information.
- Require python-setuptools instead of distribute (upstreams merged)
- Avoid 'Recommends:' on old rpm distros
- update to 2.7.1:
- Fixed a bug with ``call_filter`` not working properly on environment
and context filters.
- Fixed lack of Python 3 support for bytecode caches.
- Reverted support for defining blocks in included templates as this
broke existing templates for users.
- Fixed some warnings with hashing of undefineds and nodes if Python
is run with warnings for Python 3.
- Added support for properly hashing undefined objects.
- Fixed a bug with the title filter not working on already uppercase
strings.
- update to 2.7:
- Choice and prefix loaders now dispatch source and template lookup
separately in order to work in combination with module loaders as
advertised.
- Fixed filesizeformat.
- Added a non-silent option for babel extraction.
- Added `urlencode` filter that automatically quotes values for
URL safe usage with utf-8 as only supported encoding. If applications
want to change this encoding they can override the filter.
- Added `keep-trailing-newline` configuration to environments and
templates to optionally preserve the final trailing newline.
- Accessing `last` on the loop context no longer causes the iterator
to be consumed into a list.
- Python requirement changed: 2.6, 2.7 or >= 3.3 are required now,
supported by same source code, using the 'six' compatibility library.
- Allow `contextfunction` and other decorators to be applied to `__call__`.
- Added support for changing from newline to different signs in the `wordwrap`
filter.
- Added support for ignoring memcache errors silently.
- Added support for keeping the trailing newline in templates.
- Added finer grained support for stripping whitespace on the left side
of blocks.
- Added `map`, `select`, `reject`, `selectattr` and `rejectattr`
filters.
- Added support for `loop.depth` to figure out how deep inside a recursive
loop the code is.
- Disabled py_compile for pypy and python 3.
- Fix building python 3 package on openSUSE 11.4 x86_64
- Add 2to3 buildrequires to allow for proper conversion of python 3
version
- Add python 3 package
- Simplify vim plugin packaging
- Add suggests for vim and emacs in their respective
packages
- Removed test for obsolete openSUSE version
- Simplified macro usage
- Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting
support for both editors
- Set license to BSD-3-Clause (SPDX style)
- Require python-distribute instead of python-setuptools
- Update to version 2.6:
* internal attributes now raise an internal attribute error now instead
of returning an undefined. This fixes problems when passing undefined
objects to Python semantics expecting APIs.
* traceback support now works properly for PyPy. (Tested with 1.4)
* implemented operator intercepting for sandboxed environments. This
allows application developers to disable builtin operators for better
security. (For instance limit the mathematical operators to actual
integers instead of longs)
* groupby filter now supports dotted notation for grouping by attributes
of attributes.
* scoped blocks not properly treat toplevel assignments and imports.
Previously an import suddenly 'disappeared' in a scoped block.
* automatically detect newer Python interpreter versions before loading code
from bytecode caches to prevent segfaults on invalid opcodes. The segfault
in earlier Jinja2 versions here was not a Jinja2 bug but a limitation in
the underlying Python interpreter. If you notice Jinja2 segfaulting in
earlier versions after an upgrade of the Python interpreter you don't have
to upgrade, it's enough to flush the bytecode cache. This just no longer
makes this necessary, Jinja2 will automatically detect these cases now.
* the sum filter can now sum up values by attribute. This is a backwards
incompatible change. The argument to the filter previously was the
optional starting index which defaultes to zero. This now became the
second argument to the function because it's rarely used.
* like sum, sort now also makes it possible to order items by attribute.
* like sum and sort, join now also is able to join attributes of objects
as string.
* the internal eval context now has a reference to the environment.
* added a mapping test to see if an object is a dict or an object with
a similar interface.
- Renamed to python-Jinja2
- Fix wrong EOL encodings
- Do not require python-setuptools, buildrequires is sufficient
- Removed authors from description
- Changed license to BSD3c
- rpmlint issues cleanup
* fdupes, tar.bz2 tarball, ...
- package docs again (lost with last revision)
- re-generated spec file with py2pack
* now builds for Fedora and Mandriva
- Update to 2.2.1;
- Fixed changes file name.
- initial package (2.1.1)
Patchnames
openSUSE-2019-244
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Jinja2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Jinja2 fixes the following issues:\n\n- Update to 2.8\n - Added `target` parameter to urlize function.\n - Added support for `followsymlinks` to the file system loader.\n - The truncate filter now counts the length.\n - Added equalto filter that helps with select filters.\n - Changed cache keys to use absolute file names if available\n instead of load names.\n - Fixed loop length calculation for some iterators.\n - Changed how Jinja2 enforces strings to be native strings in\n Python 2 to work when people break their default encoding.\n - Added :func:`make_logging_undefined` which returns an undefined\n object that logs failures into a logger.\n - If unmarshalling of cached data fails the template will be\n reloaded now.\n - Implemented a block ``set`` tag.\n - Default cache size was incrased to 400 from a low 50.\n - Fixed ``is number`` test to accept long integers in all Python versions.\n - Changed ``is number`` to accept Decimal as a number.\n - Added a check for default arguments followed by non-default arguments. This\n change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a syntax error. The\n previous behavior for this code was broken anyway (resulting in the default\n value being applied to `y`).\n - Add ability to use custom subclasses of ``jinja2.compiler.CodeGenerator`` and\n ``jinja2.runtime.Context`` by adding two new attributes to the environment\n (`code_generator_class` and `context_class`) (pull request ``#404``).\n - added support for context/environment/evalctx decorator functions on\n the finalize callback of the environment.\n - escape query strings for urlencode properly. Previously slashes were not\n escaped in that place.\n - Add \u0027base\u0027 parameter to \u0027int\u0027 filter.\n- Tests are removed from the package (not distributed in the tar.gz)\n\n- Use %python_version over %py_ver: better portability to RHEL\n\n- run testsuite during build\n\n- adjust dependency to use up to date package name for python-MarkupSafe\n\n- Update to 2.7.3 (boo#858239, CVE-2014-0012)\n - Security issue: Corrected the security fix for the cache folder. \n This fix was provided by RedHat.\n\n- fix package build (file selection missing)\n\n- avoid rebuildcycle with vim \n\n- update to 2.7.2:\n - Prefix loader was not forwarding the locals properly to\n inner loaders. This is now fixed.\n - Security issue: Changed the default folder for the filesystem cache to be\n user specific and read and write protected on UNIX systems. See `Debian bug\n 734747`_ for more information.\n\n- Require python-setuptools instead of distribute (upstreams merged)\n\n- Avoid \u0027Recommends:\u0027 on old rpm distros\n\n- update to 2.7.1:\n - Fixed a bug with ``call_filter`` not working properly on environment\n and context filters.\n - Fixed lack of Python 3 support for bytecode caches.\n - Reverted support for defining blocks in included templates as this\n broke existing templates for users.\n - Fixed some warnings with hashing of undefineds and nodes if Python\n is run with warnings for Python 3.\n - Added support for properly hashing undefined objects.\n - Fixed a bug with the title filter not working on already uppercase\n strings.\n\n- update to 2.7:\n - Choice and prefix loaders now dispatch source and template lookup\n separately in order to work in combination with module loaders as\n advertised.\n - Fixed filesizeformat.\n - Added a non-silent option for babel extraction.\n - Added `urlencode` filter that automatically quotes values for\n URL safe usage with utf-8 as only supported encoding. If applications\n want to change this encoding they can override the filter.\n - Added `keep-trailing-newline` configuration to environments and\n templates to optionally preserve the final trailing newline.\n - Accessing `last` on the loop context no longer causes the iterator\n to be consumed into a list.\n - Python requirement changed: 2.6, 2.7 or \u003e= 3.3 are required now,\n supported by same source code, using the \u0027six\u0027 compatibility library.\n - Allow `contextfunction` and other decorators to be applied to `__call__`.\n - Added support for changing from newline to different signs in the `wordwrap`\n filter.\n - Added support for ignoring memcache errors silently.\n - Added support for keeping the trailing newline in templates.\n - Added finer grained support for stripping whitespace on the left side\n of blocks.\n - Added `map`, `select`, `reject`, `selectattr` and `rejectattr`\n filters.\n - Added support for `loop.depth` to figure out how deep inside a recursive\n loop the code is.\n - Disabled py_compile for pypy and python 3.\n\n- Fix building python 3 package on openSUSE 11.4 x86_64\n\n- Add 2to3 buildrequires to allow for proper conversion of python 3\n version\n\n- Add python 3 package\n- Simplify vim plugin packaging\n- Add suggests for vim and emacs in their respective \n packages\n- Removed test for obsolete openSUSE version\n\n- Simplified macro usage\n\n- Split of \u0027vim\u0027 and \u0027emacs\u0027 sub-packages that contain syntax highlighting\n support for both editors\n\n- Set license to BSD-3-Clause (SPDX style)\n- Require python-distribute instead of python-setuptools\n\n- Update to version 2.6:\n * internal attributes now raise an internal attribute error now instead\n of returning an undefined. This fixes problems when passing undefined\n objects to Python semantics expecting APIs.\n * traceback support now works properly for PyPy. (Tested with 1.4)\n * implemented operator intercepting for sandboxed environments. This\n allows application developers to disable builtin operators for better\n security. (For instance limit the mathematical operators to actual\n integers instead of longs)\n * groupby filter now supports dotted notation for grouping by attributes\n of attributes.\n * scoped blocks not properly treat toplevel assignments and imports.\n Previously an import suddenly \u0027disappeared\u0027 in a scoped block.\n * automatically detect newer Python interpreter versions before loading code\n from bytecode caches to prevent segfaults on invalid opcodes. The segfault\n in earlier Jinja2 versions here was not a Jinja2 bug but a limitation in\n the underlying Python interpreter. If you notice Jinja2 segfaulting in\n earlier versions after an upgrade of the Python interpreter you don\u0027t have\n to upgrade, it\u0027s enough to flush the bytecode cache. This just no longer\n makes this necessary, Jinja2 will automatically detect these cases now.\n * the sum filter can now sum up values by attribute. This is a backwards\n incompatible change. The argument to the filter previously was the\n optional starting index which defaultes to zero. This now became the\n second argument to the function because it\u0027s rarely used.\n * like sum, sort now also makes it possible to order items by attribute.\n * like sum and sort, join now also is able to join attributes of objects\n as string.\n * the internal eval context now has a reference to the environment.\n * added a mapping test to see if an object is a dict or an object with\n a similar interface.\n\n- Renamed to python-Jinja2\n- Fix wrong EOL encodings\n\n- Do not require python-setuptools, buildrequires is sufficient\n- Removed authors from description\n- Changed license to BSD3c\n\n- rpmlint issues cleanup\n * fdupes, tar.bz2 tarball, ...\n- package docs again (lost with last revision)\n\n- re-generated spec file with py2pack\n * now builds for Fedora and Mandriva\n\n- Update to 2.2.1;\n- Fixed changes file name.\n\n- initial package (2.1.1)",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-244",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0244-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0244-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J6U2NCERMUWAZTZY5VD4C4YB2XD5EDKW/#J6U2NCERMUWAZTZY5VD4C4YB2XD5EDKW"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0244-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J6U2NCERMUWAZTZY5VD4C4YB2XD5EDKW/#J6U2NCERMUWAZTZY5VD4C4YB2XD5EDKW"
},
{
"category": "self",
"summary": "SUSE Bug 858239",
"url": "https://bugzilla.suse.com/858239"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-0012 page",
"url": "https://www.suse.com/security/cve/CVE-2014-0012/"
}
],
"title": "Security update for python-Jinja2",
"tracking": {
"current_release_date": "2019-02-25T17:32:38Z",
"generator": {
"date": "2019-02-25T17:32:38Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0244-1",
"initial_release_date": "2019-02-25T17:32:38Z",
"revision_history": [
{
"date": "2019-02-25T17:32:38Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.8-2.1.noarch",
"product": {
"name": "python-Jinja2-2.8-2.1.noarch",
"product_id": "python-Jinja2-2.8-2.1.noarch"
}
},
{
"category": "product_version",
"name": "python-Jinja2-emacs-2.8-2.1.noarch",
"product": {
"name": "python-Jinja2-emacs-2.8-2.1.noarch",
"product_id": "python-Jinja2-emacs-2.8-2.1.noarch"
}
},
{
"category": "product_version",
"name": "python-Jinja2-vim-2.8-2.1.noarch",
"product": {
"name": "python-Jinja2-vim-2.8-2.1.noarch",
"product_id": "python-Jinja2-vim-2.8-2.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.8-2.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:python-Jinja2-2.8-2.1.noarch"
},
"product_reference": "python-Jinja2-2.8-2.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-emacs-2.8-2.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:python-Jinja2-emacs-2.8-2.1.noarch"
},
"product_reference": "python-Jinja2-emacs-2.8-2.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-vim-2.8-2.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:python-Jinja2-vim-2.8-2.1.noarch"
},
"product_reference": "python-Jinja2-vim-2.8-2.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-0012"
}
],
"notes": [
{
"category": "general",
"text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:python-Jinja2-2.8-2.1.noarch",
"SUSE Package Hub 12:python-Jinja2-emacs-2.8-2.1.noarch",
"SUSE Package Hub 12:python-Jinja2-vim-2.8-2.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-0012",
"url": "https://www.suse.com/security/cve/CVE-2014-0012"
},
{
"category": "external",
"summary": "SUSE Bug 858239 for CVE-2014-0012",
"url": "https://bugzilla.suse.com/858239"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:python-Jinja2-2.8-2.1.noarch",
"SUSE Package Hub 12:python-Jinja2-emacs-2.8-2.1.noarch",
"SUSE Package Hub 12:python-Jinja2-vim-2.8-2.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-02-25T17:32:38Z",
"details": "moderate"
}
],
"title": "CVE-2014-0012"
}
]
}
fkie_cve-2014-0012
Vulnerability from fkie_nvd
Published
2014-05-19 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://seclists.org/oss-sec/2014/q1/73 | ||
| secalert@redhat.com | http://secunia.com/advisories/56328 | ||
| secalert@redhat.com | http://secunia.com/advisories/60738 | ||
| secalert@redhat.com | http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1051421 | ||
| secalert@redhat.com | https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/mitsuhiko/jinja2/pull/292 | ||
| secalert@redhat.com | https://github.com/mitsuhiko/jinja2/pull/296 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/oss-sec/2014/q1/73 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/56328 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/60738 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1051421 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mitsuhiko/jinja2/pull/292 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mitsuhiko/jinja2/pull/296 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pocoo:jinja2:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2E22D331-9917-4E29-9FDD-4907337D7948",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402."
},
{
"lang": "es",
"value": "FileSystemBytecodeCache en Jinja2 2.7.2 no crea debidamente directorios temporales, lo que permite a usuarios locales ganar privilegios mediante la previa creaci\u00f3n de un directorio temporal con el identificador de un usuario. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para CVE-2014-1402."
}
],
"id": "CVE-2014-0012",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-19T14:55:10.330",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/56328"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60738"
},
{
"source": "secalert@redhat.com",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/56328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
pysec-2014-82
Vulnerability from pysec
Published
2014-05-19 14:55
Modified
2021-08-27 03:22
Details
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
Impacted products
| Name | purl | jinja2 | pkg:pypi/jinja2 |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jinja2",
"purl": "pkg:pypi/jinja2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "acb672b6a179567632e032f547582f30fa2f4aa7"
}
],
"repo": "https://github.com/mitsuhiko/jinja2",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0",
"2.0rc1",
"2.1",
"2.1.1",
"2.2",
"2.2.1",
"2.3",
"2.3.1",
"2.4",
"2.4.1",
"2.5",
"2.5.1",
"2.5.2",
"2.5.3",
"2.5.4",
"2.5.5",
"2.6",
"2.7",
"2.7.1",
"2.7.2"
]
}
],
"aliases": [
"CVE-2014-0012"
],
"details": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"id": "PYSEC-2014-82",
"modified": "2021-08-27T03:22:05.027573Z",
"published": "2014-05-19T14:55:00Z",
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"type": "FIX",
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"type": "ADVISORY",
"url": "http://secunia.com/advisories/60738"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"type": "ADVISORY",
"url": "http://secunia.com/advisories/56328"
}
]
}
ghsa-fqh9-2qgg-h84h
Vulnerability from github
Published
2022-05-17 04:01
Modified
2024-09-23 19:26
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.9 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
6.9 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
Summary
Insecure Temporary File in Jinja2
Details
FileSystemBytecodeCache in Jinja2 prior to version 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Jinja2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-0012"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T00:58:39Z",
"nvd_published_at": "2014-05-19T14:55:00Z",
"severity": "MODERATE"
},
"details": "FileSystemBytecodeCache in Jinja2 prior to version 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"id": "GHSA-fqh9-2qgg-h84h",
"modified": "2024-09-23T19:26:46Z",
"published": "2022-05-17T04:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0012"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja2/pull/292"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja2/pull/296"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"type": "PACKAGE",
"url": "https://github.com/pallets/jinja2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-82.yaml"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Insecure Temporary File in Jinja2"
}
suse-su-2015:1336-1
Vulnerability from csaf_suse
Published
2015-05-11 09:09
Modified
2015-05-11 09:09
Summary
Security update for python-Jinja2
Notes
Title of the patch
Security update for python-Jinja2
Description of the patch
The python-Jinja2 package was updated to version 2.7.3 to fix a security issues and some build problems.
The following vulnerabilities were fixed:
- Update to 2.7.3 (bnc#858239, CVE-2014-0012)
- Security issue: Corrected the security fix for the cache folder.
This fix was provided by RedHat.
The following build issues were fixed:
- run testsuite during build
- adjust dependency to use up to date package name for python-MarkupSafe
- fix package build (file selection missing)
Patchnames
SUSE-SLE12-CLOUD-5-2015-363,SUSE-Storage-1.0-2015-363
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Jinja2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "The python-Jinja2 package was updated to version 2.7.3 to fix a security issues and some build problems. \n\nThe following vulnerabilities were fixed:\n- Update to 2.7.3 (bnc#858239, CVE-2014-0012)\n - Security issue: Corrected the security fix for the cache folder. \n This fix was provided by RedHat.\n\nThe following build issues were fixed:\n- run testsuite during build\n- adjust dependency to use up to date package name for python-MarkupSafe\n- fix package build (file selection missing)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE12-CLOUD-5-2015-363,SUSE-Storage-1.0-2015-363",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_1336-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:1336-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20151336-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:1336-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-August/001522.html"
},
{
"category": "self",
"summary": "SUSE Bug 858239",
"url": "https://bugzilla.suse.com/858239"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-0012 page",
"url": "https://www.suse.com/security/cve/CVE-2014-0012/"
}
],
"title": "Security update for python-Jinja2",
"tracking": {
"current_release_date": "2015-05-11T09:09:44Z",
"generator": {
"date": "2015-05-11T09:09:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:1336-1",
"initial_release_date": "2015-05-11T09:09:44Z",
"revision_history": [
{
"date": "2015-05-11T09:09:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Jinja2-2.7.3-4.1.noarch",
"product": {
"name": "python-Jinja2-2.7.3-4.1.noarch",
"product_id": "python-Jinja2-2.7.3-4.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5",
"product": {
"name": "SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5",
"product_id": "SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-sle12-cloud-compute:5"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 1.0",
"product": {
"name": "SUSE Enterprise Storage 1.0",
"product_id": "SUSE Enterprise Storage 1.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:1.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.7.3-4.1.noarch as component of SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5",
"product_id": "SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5:python-Jinja2-2.7.3-4.1.noarch"
},
"product_reference": "python-Jinja2-2.7.3-4.1.noarch",
"relates_to_product_reference": "SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Jinja2-2.7.3-4.1.noarch as component of SUSE Enterprise Storage 1.0",
"product_id": "SUSE Enterprise Storage 1.0:python-Jinja2-2.7.3-4.1.noarch"
},
"product_reference": "python-Jinja2-2.7.3-4.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 1.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-0012"
}
],
"notes": [
{
"category": "general",
"text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5:python-Jinja2-2.7.3-4.1.noarch",
"SUSE Enterprise Storage 1.0:python-Jinja2-2.7.3-4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-0012",
"url": "https://www.suse.com/security/cve/CVE-2014-0012"
},
{
"category": "external",
"summary": "SUSE Bug 858239 for CVE-2014-0012",
"url": "https://bugzilla.suse.com/858239"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5:python-Jinja2-2.7.3-4.1.noarch",
"SUSE Enterprise Storage 1.0:python-Jinja2-2.7.3-4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-05-11T09:09:44Z",
"details": "moderate"
}
],
"title": "CVE-2014-0012"
}
]
}
gsd-2014-0012
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-0012",
"description": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"id": "GSD-2014-0012",
"references": [
"https://www.suse.com/security/cve/CVE-2014-0012.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-0012"
],
"details": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"id": "GSD-2014-0012",
"modified": "2023-12-13T01:22:43.822200Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/oss-sec/2014/q1/73",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"name": "http://secunia.com/advisories/56328",
"refsource": "MISC",
"url": "http://secunia.com/advisories/56328"
},
{
"name": "http://secunia.com/advisories/60738",
"refsource": "MISC",
"url": "http://secunia.com/advisories/60738"
},
{
"name": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml",
"refsource": "MISC",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"name": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7",
"refsource": "MISC",
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"name": "https://github.com/mitsuhiko/jinja2/pull/292",
"refsource": "MISC",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"name": "https://github.com/mitsuhiko/jinja2/pull/296",
"refsource": "MISC",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.7.2",
"affected_versions": "All versions before 2.7.2",
"cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2023-02-14",
"description": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"fixed_versions": [
"2.7.2"
],
"identifier": "CVE-2014-0012",
"identifiers": [
"GHSA-fqh9-2qgg-h84h",
"CVE-2014-0012"
],
"not_impacted": "All versions starting from 2.7.2",
"package_slug": "pypi/Jinja2",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 2.7.2 or above.",
"title": "Insecure Temporary File in Jinja2",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-0012",
"https://bugzilla.redhat.com/show_bug.cgi?id=1051421",
"http://seclists.org/oss-sec/2014/q1/73",
"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml",
"https://github.com/pallets/jinja2/pull/292",
"https://github.com/pallets/jinja2/pull/296",
"https://github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa7",
"https://github.com/advisories/GHSA-fqh9-2qgg-h84h"
],
"uuid": "fcc9447f-51ea-4dc8-aee2-d5661d6e0e75"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:pocoo:jinja2:2.7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0012"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"name": "https://github.com/mitsuhiko/jinja2/pull/292",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"name": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7",
"refsource": "MISC",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"name": "[oss-security] 20140110 CVE assignment for jinja2",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"name": "https://github.com/mitsuhiko/jinja2/pull/296",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"name": "60738",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/60738"
},
{
"name": "GLSA-201408-13",
"refsource": "GENTOO",
"tags": [],
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
},
{
"name": "56328",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/56328"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:29Z",
"publishedDate": "2014-05-19T14:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…