user/py3-jinja2: multiple vulnerabilities
Bugzilla ID | 141 |
Alias(es) | CVE-2019-10906, CVE-2019-8341 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2019-07-31 07:03:21 -0500 |
Modified | 2019-08-04 19:24:29 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
See also | https://bugzilla.redhat.com/show_bug.cgi?id=1677653 |
Description
An issue was discovered in Jinja2 2.10. The from_string function is
prone to Server Side Template Injection (SSTI) where it takes the
"source" parameter as a template object, renders it, and then returns
it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.