RSS   Vulnerabilities for 'Jinja2'   RSS

2019-02-15
 
CVE-2019-8341

CWE-94
 

 
** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.

 
2014-05-19
 
CVE-2014-1402

CWE-264
 

 
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

 
 
CVE-2014-0012

 

 
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

 

 >>> Vendor: Pocoo 2 Products
Jinja2
Babel


Copyright 2024, cxsecurity.com

 

Back to Top