Vulnerability CVE-2021-44657
Published: 2021-12-15

Description:
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Stackstorm -> Stackstorm 

 References:
https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
https://github.com/StackStorm/st2/pull/5359
https://github.com/pallets/jinja/issues/549
https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/
Copyright 2024, cxsecurity.com

 

Back to Top