Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678268 (CVE-2019-8341) - dev-python/jinja: server side injection in 'from_string' function
Summary: dev-python/jinja: server side injection in 'from_string' function
Status: UNCONFIRMED
Alias: CVE-2019-8341
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/JameelNabbo/Jinja2...
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-18 03:58 UTC by D'juan McDonald (domhnall)
Modified: 2019-02-18 03:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-02-18 03:58:55 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-8341):

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.

Reference: https://www.exploit-db.com/exploits/46386

@maintainer(s): unclear if this issue was reported to upstream


Gentoo Security Padawan
(domhnall)