Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678268 (CVE-2019-8341)

Summary: dev-python/jinja: server side injection in 'from_string' function
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [upstream]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2019-02-18 03:58:55 UTC

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.


@maintainer(s): unclear if this issue was reported to upstream

Gentoo Security Padawan
Comment 1 Sam James archtester gentoo-dev Security 2020-03-15 15:50:57 UTC

>You should not execute untrusted templates in a non-sandboxed environment. That's exactly why the sandbox exists (and to be honest, even with a sandbox I would not let users provide arbitrary Jinja templates)
Comment 2 Sam James archtester gentoo-dev Security 2020-06-20 01:47:58 UTC
Upstream say INVALID.