Описание
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support |
| cosmic | ignored | end of life |
| devel | ignored | rejected by upstream |
| esm-infra-legacy/trusty | ignored | rejected by upstream |
| esm-infra/bionic | ignored | rejected by upstream |
| esm-infra/xenial | ignored | rejected by upstream |
| precise/esm | ignored | end of life |
| trusty | ignored | end of standard support |
| trusty/esm | ignored | end of ESM support, was ignored [rejected by upstream] |
| upstream | needs-triage |
Показывать по
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
An issue was discovered in Jinja2 2.10. The from_string function is pr ...
** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.
Уязвимость функции from_string шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
7.5 High
CVSS2
9.8 Critical
CVSS3