7.5
CVSSv2

CVE-2019-8341

Published: 15/02/2019 Updated: 06/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 755
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

** DISPUTED ** An issue exists in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.

Vulnerability Trend

Affected Products

Vendor Product Versions
PocooJinja22.10

Vendor Advisories

Impact: Low Public Date: 2019-02-14 CWE: CWE-77 Bugzilla: 1677653: CVE-2019-8341 python-jinja2: command ...
An issue was discovered in Jinja2 210 The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it The attacker can exploit it with {{INJECTION COMMANDS}} in a URI ...

Exploits

''' # Exploit Title: Jinja2 Command injection from_string function # Date: [date] # Exploit Author: JameelNabbo # Website: Ordinanl # Vendor Homepage: jinjapocooorg # Software Link: pypiorg/project/Jinja2/#files # Version: 210 # Tested on: Kali Linux # CVE-2019-8341 // from_string function is prone to SSTI where it takes the " ...

Mailing Lists

Jinja2 version 210 suffers from a command injection vulnerability ...