Vulnerabilities affecting this package (1)
| Vulnerability |
Summary |
Fixed by |
VCID-8vr3-83b4-hqd2
Aliases:
CVE-2024-56326
GHSA-q2x7-8rv6-6q7h
|
Jinja has a sandbox breakout through indirect reference to format method
An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.
To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.
|
There are no reported fixed by versions.
|
Vulnerabilities fixed by this package (0)
| Vulnerability |
Summary |
Aliases |
|
This package is not known to fix vulnerabilities.
|