Описание
Security update for python-Jinja2
This update for python-Jinja2 fixes the following issues:
Security issues fixed:
- CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format (bsc#1132174).
- CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).
- CVE-2019-8341: Fixed command injection in function from_string (bsc#1125815).
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Список пакетов
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2019:1614-1
- SUSE Security Ratings
Описание
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
Затронутые продукты
Ссылки
- CVE-2016-10745
- SUSE Bug 1132174
Описание
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Затронутые продукты
Ссылки
- CVE-2019-10906
- SUSE Bug 1132323
Описание
** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.
Затронутые продукты
Ссылки
- CVE-2019-8341
- SUSE Bug 1125815