CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56326 – Jinja has a sandbox breakout through indirect reference to format method
https://notcve.org/view.php?id=CVE-2024-56326
23 Dec 2024 — Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. • https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4 • CWE-693: Protection Mechanism Failure CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56201 – Jinja has a sandbox breakout through malicious filenames
https://notcve.org/view.php?id=CVE-2024-56201
23 Dec 2024 — Jinja is an extensible templating engine. Prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where th... • https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34064 – Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
https://notcve.org/view.php?id=CVE-2024-34064
06 May 2024 — Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addres... • https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22195 – Jinja vulnerable to Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-22195
11 Jan 2024 — Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.... • https://github.com/pallets/jinja/releases/tag/3.1.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •