(https://nvd.nist.gov/vuln/detail/CVE-2019-8341): An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. Reference: https://www.exploit-db.com/exploits/46386 @maintainer(s): unclear if this issue was reported to upstream Gentoo Security Padawan (domhnall)
Disputed: https://github.com/pallets/jinja/issues/549#issuecomment-187625168 >You should not execute untrusted templates in a non-sandboxed environment. That's exactly why the sandbox exists (and to be honest, even with a sandbox I would not let users provide arbitrary Jinja templates)
Upstream say INVALID.