Описание
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
Ссылки
- PatchThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitThird Party Advisory
- Release NotesVendor Advisory
- PatchThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitThird Party Advisory
- Release NotesVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.6.0 (исключая)
cpe:2.3:a:stackstorm:stackstorm:*:*:*:*:*:*:*:*
EPSS
Процентиль: 85%
0.02639
Низкий
8.8 High
CVSS3
9 Critical
CVSS2
Дефекты
NVD-CWE-Other
Связанные уязвимости
CVSS3: 8.8
github
около 4 лет назад
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
EPSS
Процентиль: 85%
0.02639
Низкий
8.8 High
CVSS3
9 Critical
CVSS2
Дефекты
NVD-CWE-Other