678268 – (CVE-2019-8341) dev-python/jinja: server side injection in 'from_string' function

Bug 678268 (CVE-2019-8341) - dev-python/jinja: server side injection in 'from_string' function

Summary: dev-python/jinja: server side injection in 'from_string' function

Status:	RESOLVED INVALID

Alias:	CVE-2019-8341

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/JameelNabbo/Jinja2...
Whiteboard:	B2 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2019-02-18 03:58 UTC by D'juan McDonald (domhnall)
Modified:	2020-06-20 01:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2019-02-18 03:58:55 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2019-8341):

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.

Reference: https://www.exploit-db.com/exploits/46386

@maintainer(s): unclear if this issue was reported to upstream


Gentoo Security Padawan
(domhnall)

Comment 1 Sam James archtester

2020-03-15 15:50:57 UTC

Disputed: https://github.com/pallets/jinja/issues/549#issuecomment-187625168

>You should not execute untrusted templates in a non-sandboxed environment. That's exactly why the sandbox exists (and to be honest, even with a sandbox I would not let users provide arbitrary Jinja templates)

Comment 2 Sam James archtester

2020-06-20 01:47:58 UTC

Upstream say INVALID.