Source: jinja2 Version: 3.1.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.1.3-1.1
Hi, The following vulnerability was published for jinja2. CVE-2024-56326[0]: | Jinja is an extensible templating engine. Prior to 3.1.5, An | oversight in how the Jinja sandboxed environment detects calls to | str.format allows an attacker that controls the content of a | template to execute arbitrary Python code. To exploit the | vulnerability, an attacker needs to control the content of a | template. Whether that is the case depends on the type of | application using Jinja. This vulnerability impacts users of | applications which execute untrusted templates. Jinja's sandbox does | catch calls to str.format and ensures they don't escape the sandbox. | However, it's possible to store a reference to a malicious string's | format method, then pass that to a filter that calls it. No such | filters are built-in to Jinja, but could be present through custom | filters in an application. After the fix, such indirect calls are | also handled by the sandbox. This vulnerability is fixed in 3.1.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-56326 https://www.cve.org/CVERecord?id=CVE-2024-56326 [1] https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h [2] https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4 Regards, Salvatore
