#VU101972 Security features bypass in Jinja - CVE-2024-56326

Cybersecurity Help s.r.o.

Published: 2024-12-27 | Updated: 2025-02-11

Vulnerability identifier: #VU101972

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56326

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Jinja
Web applications / Modules and components for CMS

Vendor: The Pallets Projects

Description

The vulnerability allows a local user to bypass sandbox restrictions.

The vulnerability exists in the way the Jinja sandboxed environment detects calls to str.format. A local user with the ability to control the contents of a template can bypass sandbox restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jinja: 2.0 - 3.1.4

External links
https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
https://github.com/pallets/jinja/releases/tag/3.1.5
https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM SOAR QRadar Plugin App

Anolis OS update for python-jinja2

Anolis OS update for fence-agents

Multiple vulnerabilities in IBM watsonx Code Assistant On Prem

Multiple vulnerabilities in IBM Maximo Application Suite - Predict Component

Multiple vulnerabilities in Red Hat Satellite 6.16

Red Hat Enterprise Linux 8 update for python-jinja2

Ubuntu update for jinja2