csaf_opensuse - opensuse-su-2024:11208-1

opensuse-su-2024:11208-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

python36-Jinja2-3.0.1-3.2 on GA media

Notes

Title of the patch

python36-Jinja2-3.0.1-3.2 on GA media

Description of the patch

These are all security issues fixed in the python36-Jinja2-3.0.1-3.2 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11208

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python36-Jinja2-3.0.1-3.2 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python36-Jinja2-3.0.1-3.2 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11208",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11208-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-0012 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-0012/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-10745 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-10745/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-10906 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-10906/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-28493 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-28493/"
      }
    ],
    "title": "python36-Jinja2-3.0.1-3.2 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11208-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python36-Jinja2-3.0.1-3.2.aarch64",
                "product": {
                  "name": "python36-Jinja2-3.0.1-3.2.aarch64",
                  "product_id": "python36-Jinja2-3.0.1-3.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Jinja2-3.0.1-3.2.aarch64",
                "product": {
                  "name": "python38-Jinja2-3.0.1-3.2.aarch64",
                  "product_id": "python38-Jinja2-3.0.1-3.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Jinja2-3.0.1-3.2.aarch64",
                "product": {
                  "name": "python39-Jinja2-3.0.1-3.2.aarch64",
                  "product_id": "python39-Jinja2-3.0.1-3.2.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python36-Jinja2-3.0.1-3.2.ppc64le",
                "product": {
                  "name": "python36-Jinja2-3.0.1-3.2.ppc64le",
                  "product_id": "python36-Jinja2-3.0.1-3.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Jinja2-3.0.1-3.2.ppc64le",
                "product": {
                  "name": "python38-Jinja2-3.0.1-3.2.ppc64le",
                  "product_id": "python38-Jinja2-3.0.1-3.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Jinja2-3.0.1-3.2.ppc64le",
                "product": {
                  "name": "python39-Jinja2-3.0.1-3.2.ppc64le",
                  "product_id": "python39-Jinja2-3.0.1-3.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python36-Jinja2-3.0.1-3.2.s390x",
                "product": {
                  "name": "python36-Jinja2-3.0.1-3.2.s390x",
                  "product_id": "python36-Jinja2-3.0.1-3.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Jinja2-3.0.1-3.2.s390x",
                "product": {
                  "name": "python38-Jinja2-3.0.1-3.2.s390x",
                  "product_id": "python38-Jinja2-3.0.1-3.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Jinja2-3.0.1-3.2.s390x",
                "product": {
                  "name": "python39-Jinja2-3.0.1-3.2.s390x",
                  "product_id": "python39-Jinja2-3.0.1-3.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python36-Jinja2-3.0.1-3.2.x86_64",
                "product": {
                  "name": "python36-Jinja2-3.0.1-3.2.x86_64",
                  "product_id": "python36-Jinja2-3.0.1-3.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Jinja2-3.0.1-3.2.x86_64",
                "product": {
                  "name": "python38-Jinja2-3.0.1-3.2.x86_64",
                  "product_id": "python38-Jinja2-3.0.1-3.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Jinja2-3.0.1-3.2.x86_64",
                "product": {
                  "name": "python39-Jinja2-3.0.1-3.2.x86_64",
                  "product_id": "python39-Jinja2-3.0.1-3.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python36-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64"
        },
        "product_reference": "python36-Jinja2-3.0.1-3.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python36-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le"
        },
        "product_reference": "python36-Jinja2-3.0.1-3.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python36-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x"
        },
        "product_reference": "python36-Jinja2-3.0.1-3.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python36-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64"
        },
        "product_reference": "python36-Jinja2-3.0.1-3.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64"
        },
        "product_reference": "python38-Jinja2-3.0.1-3.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le"
        },
        "product_reference": "python38-Jinja2-3.0.1-3.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x"
        },
        "product_reference": "python38-Jinja2-3.0.1-3.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64"
        },
        "product_reference": "python38-Jinja2-3.0.1-3.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Jinja2-3.0.1-3.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64"
        },
        "product_reference": "python39-Jinja2-3.0.1-3.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Jinja2-3.0.1-3.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le"
        },
        "product_reference": "python39-Jinja2-3.0.1-3.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Jinja2-3.0.1-3.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x"
        },
        "product_reference": "python39-Jinja2-3.0.1-3.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Jinja2-3.0.1-3.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
        },
        "product_reference": "python39-Jinja2-3.0.1-3.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-0012",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-0012"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-0012",
          "url": "https://www.suse.com/security/cve/CVE-2014-0012"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 858239 for CVE-2014-0012",
          "url": "https://bugzilla.suse.com/858239"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-0012"
    },
    {
      "cve": "CVE-2016-10745",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-10745"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-10745",
          "url": "https://www.suse.com/security/cve/CVE-2016-10745"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1132174 for CVE-2016-10745",
          "url": "https://bugzilla.suse.com/1132174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2016-10745"
    },
    {
      "cve": "CVE-2019-10906",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-10906"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-10906",
          "url": "https://www.suse.com/security/cve/CVE-2019-10906"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1132323 for CVE-2019-10906",
          "url": "https://bugzilla.suse.com/1132323"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-10906"
    },
    {
      "cve": "CVE-2020-28493",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-28493"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
          "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-28493",
          "url": "https://www.suse.com/security/cve/CVE-2020-28493"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1181944 for CVE-2020-28493",
          "url": "https://bugzilla.suse.com/1181944"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python36-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python38-Jinja2-3.0.1-3.2.x86_64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.aarch64",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.ppc64le",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.s390x",
            "openSUSE Tumbleweed:python39-Jinja2-3.0.1-3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-28493"
    }
  ]
}

CVE-2020-28493 (GCVE-0-2020-28493)

Vulnerability from cvelistv5

Published

2021-02-01 19:30

Modified

2024-09-16 17:24

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

CWE

Regular Expression Denial of Service (ReDoS)

Summary

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

References

►

URL

Tags

	https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994	x_refsource_MISC
	https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20	x_refsource_MISC
	https://github.com/pallets/jinja/pull/1343	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/202107-19	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	n/a	jinja2	Version: 0.0.0 < unspecified Version: unspecified < 2.11.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:40:59.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pallets/jinja/pull/1343"
          },
          {
            "name": "FEDORA-2021-2ab8ebcabc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"
          },
          {
            "name": "GLSA-202107-19",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-19"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jinja2",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.11.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Yeting Li"
        }
      ],
      "datePublic": "2021-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Regular Expression Denial of Service (ReDoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-08T06:07:09",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/jinja/pull/1343"
        },
        {
          "name": "FEDORA-2021-2ab8ebcabc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"
        },
        {
          "name": "GLSA-202107-19",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-19"
        }
      ],
      "title": "Regular Expression Denial of Service (ReDoS)",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2021-02-01T19:29:26.819563Z",
          "ID": "CVE-2020-28493",
          "STATE": "PUBLIC",
          "TITLE": "Regular Expression Denial of Service (ReDoS)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "jinja2",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "0.0.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.11.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Yeting Li"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Regular Expression Denial of Service (ReDoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"
            },
            {
              "name": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20",
              "refsource": "MISC",
              "url": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"
            },
            {
              "name": "https://github.com/pallets/jinja/pull/1343",
              "refsource": "MISC",
              "url": "https://github.com/pallets/jinja/pull/1343"
            },
            {
              "name": "FEDORA-2021-2ab8ebcabc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"
            },
            {
              "name": "GLSA-202107-19",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-19"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-28493",
    "datePublished": "2021-02-01T19:30:16.601731Z",
    "dateReserved": "2020-11-12T00:00:00",
    "dateUpdated": "2024-09-16T17:24:01.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2014-0012 (GCVE-0-2014-0012)

Vulnerability from cvelistv5

Published

2014-05-19 14:00

Modified

2024-08-06 08:58

Severity ?

CWE

Summary

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

References

►

URL

Tags

	https://github.com/mitsuhiko/jinja2/pull/292	x_refsource_MISC
	http://secunia.com/advisories/56328	third-party-advisory, x_refsource_SECUNIA
	https://bugzilla.redhat.com/show_bug.cgi?id=1051421	x_refsource_MISC
	http://secunia.com/advisories/60738	third-party-advisory, x_refsource_SECUNIA
	https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7	x_refsource_MISC
	https://github.com/mitsuhiko/jinja2/pull/296	x_refsource_MISC
	http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml	vendor-advisory, x_refsource_GENTOO
	http://seclists.org/oss-sec/2014/q1/73	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:58:26.479Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mitsuhiko/jinja2/pull/292"
          },
          {
            "name": "56328",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/56328"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
          },
          {
            "name": "60738",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/60738"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mitsuhiko/jinja2/pull/296"
          },
          {
            "name": "GLSA-201408-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
          },
          {
            "name": "[oss-security] 20140110 CVE assignment for jinja2",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2014/q1/73"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-01-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-09-12T12:57:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mitsuhiko/jinja2/pull/292"
        },
        {
          "name": "56328",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/56328"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
        },
        {
          "name": "60738",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/60738"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mitsuhiko/jinja2/pull/296"
        },
        {
          "name": "GLSA-201408-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
        },
        {
          "name": "[oss-security] 20140110 CVE assignment for jinja2",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2014/q1/73"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2014-0012",
    "datePublished": "2014-05-19T14:00:00",
    "dateReserved": "2013-12-03T00:00:00",
    "dateUpdated": "2024-08-06T08:58:26.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10906 (GCVE-0-2019-10906)

Vulnerability from cvelistv5

Published

2019-04-06 23:17

Modified

2024-08-04 22:40

Severity ?

CWE

Summary

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

References

►

URL

Tags

	https://palletsprojects.com/blog/jinja-2-10-1-released	x_refsource_MISC
	https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284%40%3Cdevnull.infra.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da%40%3Ccommits.airflow.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316%40%3Ccommits.airflow.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02%40%3Ccommits.airflow.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df%40%3Cdevnull.infra.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac%40%3Cdevnull.infra.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993%40%3Ccommits.airflow.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f%40%3Cdevnull.infra.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/	vendor-advisory, x_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:1152	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:1237	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1329	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/4011-1/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/4011-2/	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:40:15.214Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://palletsprojects.com/blog/jinja-2-10-1-released"
          },
          {
            "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284%40%3Cdevnull.infra.apache.org%3E"
          },
          {
            "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da%40%3Ccommits.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316%40%3Ccommits.airflow.apache.org%3E"
          },
          {
            "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02%40%3Ccommits.airflow.apache.org%3E"
          },
          {
            "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df%40%3Cdevnull.infra.apache.org%3E"
          },
          {
            "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac%40%3Cdevnull.infra.apache.org%3E"
          },
          {
            "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993%40%3Ccommits.airflow.apache.org%3E"
          },
          {
            "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f%40%3Cdevnull.infra.apache.org%3E"
          },
          {
            "name": "FEDORA-2019-4f978cacb4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"
          },
          {
            "name": "FEDORA-2019-e41e19457b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"
          },
          {
            "name": "FEDORA-2019-04a42e480b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"
          },
          {
            "name": "RHSA-2019:1152",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1152"
          },
          {
            "name": "openSUSE-SU-2019:1395",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
          },
          {
            "name": "RHSA-2019:1237",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1237"
          },
          {
            "name": "RHSA-2019:1329",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1329"
          },
          {
            "name": "USN-4011-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4011-1/"
          },
          {
            "name": "USN-4011-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4011-2/"
          },
          {
            "name": "openSUSE-SU-2019:1614",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-24T20:06:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://palletsprojects.com/blog/jinja-2-10-1-released"
        },
        {
          "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284%40%3Cdevnull.infra.apache.org%3E"
        },
        {
          "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da%40%3Ccommits.airflow.apache.org%3E"
        },
        {
          "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316%40%3Ccommits.airflow.apache.org%3E"
        },
        {
          "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02%40%3Ccommits.airflow.apache.org%3E"
        },
        {
          "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df%40%3Cdevnull.infra.apache.org%3E"
        },
        {
          "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac%40%3Cdevnull.infra.apache.org%3E"
        },
        {
          "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993%40%3Ccommits.airflow.apache.org%3E"
        },
        {
          "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f%40%3Cdevnull.infra.apache.org%3E"
        },
        {
          "name": "FEDORA-2019-4f978cacb4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"
        },
        {
          "name": "FEDORA-2019-e41e19457b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"
        },
        {
          "name": "FEDORA-2019-04a42e480b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"
        },
        {
          "name": "RHSA-2019:1152",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1152"
        },
        {
          "name": "openSUSE-SU-2019:1395",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
        },
        {
          "name": "RHSA-2019:1237",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1237"
        },
        {
          "name": "RHSA-2019:1329",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1329"
        },
        {
          "name": "USN-4011-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4011-1/"
        },
        {
          "name": "USN-4011-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4011-2/"
        },
        {
          "name": "openSUSE-SU-2019:1614",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-10906",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://palletsprojects.com/blog/jinja-2-10-1-released",
              "refsource": "MISC",
              "url": "https://palletsprojects.com/blog/jinja-2-10-1-released"
            },
            {
              "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG opened pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E"
            },
            {
              "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG opened a new pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-commits] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E"
            },
            {
              "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E"
            },
            {
              "name": "[infra-devnull] 20190410 [GitHub] [airflow] XD-DENG commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E"
            },
            {
              "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb commented on issue #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E"
            },
            {
              "name": "[airflow-commits] 20190410 [GitHub] [airflow] ashb merged pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E"
            },
            {
              "name": "[infra-devnull] 20190410 [GitHub] [airflow] ashb closed pull request #5075: [AIRFLOW-XXX] Change allowed version of Jinja2 to fix CVE-2019-10906",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E"
            },
            {
              "name": "FEDORA-2019-4f978cacb4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"
            },
            {
              "name": "FEDORA-2019-e41e19457b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"
            },
            {
              "name": "FEDORA-2019-04a42e480b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"
            },
            {
              "name": "RHSA-2019:1152",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1152"
            },
            {
              "name": "openSUSE-SU-2019:1395",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
            },
            {
              "name": "RHSA-2019:1237",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1237"
            },
            {
              "name": "RHSA-2019:1329",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1329"
            },
            {
              "name": "USN-4011-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4011-1/"
            },
            {
              "name": "USN-4011-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4011-2/"
            },
            {
              "name": "openSUSE-SU-2019:1614",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-10906",
    "datePublished": "2019-04-06T23:17:03",
    "dateReserved": "2019-04-06T00:00:00",
    "dateUpdated": "2024-08-04T22:40:15.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-10745 (GCVE-0-2016-10745)

Vulnerability from cvelistv5

Published

2019-04-08 13:00

Modified

2024-08-06 03:30

Severity ?

CWE

Summary

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

References

►

URL

Tags

	https://palletsprojects.com/blog/jinja-281-released/	x_refsource_MISC
	https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:1022	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:1237	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1260	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/4011-1/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/4011-2/	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:3964	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4062	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:30:20.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://palletsprojects.com/blog/jinja-281-released/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"
          },
          {
            "name": "RHSA-2019:1022",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1022"
          },
          {
            "name": "openSUSE-SU-2019:1395",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
          },
          {
            "name": "RHSA-2019:1237",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1237"
          },
          {
            "name": "RHSA-2019:1260",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1260"
          },
          {
            "name": "USN-4011-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4011-1/"
          },
          {
            "name": "USN-4011-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4011-2/"
          },
          {
            "name": "openSUSE-SU-2019:1614",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
          },
          {
            "name": "RHSA-2019:3964",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3964"
          },
          {
            "name": "RHSA-2019:4062",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4062"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-12-03T13:06:04",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://palletsprojects.com/blog/jinja-281-released/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"
        },
        {
          "name": "RHSA-2019:1022",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1022"
        },
        {
          "name": "openSUSE-SU-2019:1395",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
        },
        {
          "name": "RHSA-2019:1237",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1237"
        },
        {
          "name": "RHSA-2019:1260",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1260"
        },
        {
          "name": "USN-4011-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4011-1/"
        },
        {
          "name": "USN-4011-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4011-2/"
        },
        {
          "name": "openSUSE-SU-2019:1614",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
        },
        {
          "name": "RHSA-2019:3964",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3964"
        },
        {
          "name": "RHSA-2019:4062",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4062"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-10745",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://palletsprojects.com/blog/jinja-281-released/",
              "refsource": "MISC",
              "url": "https://palletsprojects.com/blog/jinja-281-released/"
            },
            {
              "name": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16",
              "refsource": "MISC",
              "url": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"
            },
            {
              "name": "RHSA-2019:1022",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1022"
            },
            {
              "name": "openSUSE-SU-2019:1395",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
            },
            {
              "name": "RHSA-2019:1237",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1237"
            },
            {
              "name": "RHSA-2019:1260",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1260"
            },
            {
              "name": "USN-4011-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4011-1/"
            },
            {
              "name": "USN-4011-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4011-2/"
            },
            {
              "name": "openSUSE-SU-2019:1614",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
            },
            {
              "name": "RHSA-2019:3964",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3964"
            },
            {
              "name": "RHSA-2019:4062",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4062"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-10745",
    "datePublished": "2019-04-08T13:00:48",
    "dateReserved": "2019-04-08T00:00:00",
    "dateUpdated": "2024-08-06T03:30:20.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2024:11208-1

Vulnerability from csaf_opensuse

CVE-2020-28493 (GCVE-0-2020-28493)

Vulnerability from cvelistv5

CVE-2014-0012 (GCVE-0-2014-0012)

Vulnerability from cvelistv5

CVE-2019-10906 (GCVE-0-2019-10906)

Vulnerability from cvelistv5

CVE-2016-10745 (GCVE-0-2016-10745)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature