Lucene search

Veracode Vulnerability DatabaseVERACODE:13605

HistoryApr 08, 2019 - 2:44 a.m.

Remote Code Execution (RCE)

2019-04-0802:44:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

jinja2 is vulnerable to remote code execution (RCE) attacks. The vulnerability exists as the value of str.format_map could be used to escape the sandboxed environment, allowing RCE attacks.

CPENameOperatorVersion
jinja2le2.10
rh-python36-python-jinja2eq2.9.6__2.el6
rh-python36-python-jinja2eq2.9.6__2.el7
mod_xsendfileeq0.12__10.el7ui
mod_xsendfileeq0.12__10.el7sat
mod_xsendfileeq0.12__10.el7
python-daemoneq1.6__5.1.el7
python-daemoneq1.6__5.el7
rubygem-kafo_wizardseq0.0.1__1.el7ui
rubygem-kafo_wizardseq0.0.1__1.el7sat

Name	Operator	Version
jinja2	le	2.10
rh-python36-python-jinja2	eq	2.9.6__2.el6
rh-python36-python-jinja2	eq	2.9.6__2.el7
mod_xsendfile	eq	0.12__10.el7ui
mod_xsendfile	eq	0.12__10.el7sat
mod_xsendfile	eq	0.12__10.el7
python-daemon	eq	1.6__5.1.el7
python-daemon	eq	1.6__5.el7
rubygem-kafo_wizards	eq	0.0.1__1.el7ui
rubygem-kafo_wizards	eq	0.0.1__1.el7sat

Rows per page:

1-10 of 27321

References

lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

access.redhat.com/errata/RHSA-2019:1152

access.redhat.com/errata/RHSA-2019:1237

access.redhat.com/errata/RHSA-2019:1329

github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26

lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E

lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E

lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E

lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E

lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E

lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E

lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E

lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E

lists.fedoraproject.org/archives/list/[email protected]/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/

lists.fedoraproject.org/archives/list/[email protected]/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/

lists.fedoraproject.org/archives/list/[email protected]/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/

palletsprojects.com/blog/jinja-2-10-1-released

palletsprojects.com/blog/jinja-2-10-1-released/

usn.ubuntu.com/4011-1/

usn.ubuntu.com/4011-2/

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:13605