#VU101971 Security features bypass in Jinja - CVE-2024-56201
Vulnerability identifier: #VU101971
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-254
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Jinja
Web applications /
Modules and components for CMS
Vendor: The Pallets Projects
Description
The vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists due to improper validation of user-supplied input. A local user with the ability to control both the filename and the contents of a template can bypass sandbox restrictions.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Jinja: 2.0 - 3.1.4
External links
https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
https://github.com/pallets/jinja/issues/1792
https://github.com/pallets/jinja/releases/tag/3.1.5
https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
