SB2024122789 - Multiple vulnerabilities in Jinja
Published: December 27, 2024
Security Bulletin ID
SB2024122789
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Security features bypass (CVE-ID: CVE-2024-56326)
The vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists in the way the Jinja sandboxed environment detects calls to str.format. A local user with the ability to control the contents of a template can bypass sandbox restrictions.2) Security features bypass (CVE-ID: CVE-2024-56201)
The vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists due to improper validation of user-supplied input. A local user with the ability to control both the filename and the contents of a template can bypass sandbox restrictions.
Remediation
Install update from vendor's website.
References
- https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
- https://github.com/pallets/jinja/releases/tag/3.1.5
- https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
- https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
- https://github.com/pallets/jinja/issues/1792
- https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699