GitHub Advisory DatabaseGHSA-462W-V97R-4M45Jinja2 sandbox escape via string formatting
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.7%
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.format_map method could be used to escape the sandbox.
This issue was previously addressed for the str.format method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common str.format_map method was overlooked. This release applies the same sandboxing to both methods.
If you cannot upgrade Jinja, you can override the is_safe_attribute method on the sandbox and explicitly disallow the format_map method on string objects.
References
lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
access.redhat.com/errata/RHSA-2019:1152
access.redhat.com/errata/RHSA-2019:1237
access.redhat.com/errata/RHSA-2019:1329
github.com/advisories/GHSA-462w-v97r-4m45
lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E
lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E
lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E
lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E
lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E
lists.fedoraproject.org/archives/list/[email protected]/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/
lists.fedoraproject.org/archives/list/[email protected]/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/
lists.fedoraproject.org/archives/list/[email protected]/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/
nvd.nist.gov/vuln/detail/CVE-2019-10906
palletsprojects.com/blog/jinja-2-10-1-released
usn.ubuntu.com/4011-1/
usn.ubuntu.com/4011-2/
Related
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.7%