Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2019-8341

Published: 15/02/2019 Updated: 11/04/2024
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 755
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Jinja2

Vulnerability Summary

An issue exists in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pocoo jinja2 2.10

opensuse leap 42.3

opensuse leap 15.0

Vendor Advisories

Red Hat: CVE-2019-8341
Impact: Low Public Date: 2019-02-14 CWE: CWE-77 Bugzilla: 1677653: CVE-2019-8341 python-jinja2: command ...
Arch Linux Issues:
An issue was discovered in Jinja2 210 The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it The attacker can exploit it with {{INJECTION COMMANDS}} in a URI ...

Exploits

Exploit DB: Jinja2 2.10 - 'from_string' Server Side Template Injection
''' # Exploit Title: Jinja2 Command injection from_string function # Date: [date] # Exploit Author: JameelNabbo # Website: Ordinanl # Vendor Homepage: jinjapocooorg # Software Link: pypiorg/project/Jinja2/#files # Version: 210 # Tested on: Kali Linux # CVE-2019-8341 // from_string function is prone to SSTI where it takes the " ...
Exploit DB: Jinja2 2.10 Command Injection
Jinja2 version 210 suffers from a command injection vulnerability ...

Github Repositories

https://github.com/adindrabkin/llama_facts

Web application vulnerable to Python3 Flask SSTI (CVE-2019-8341)

Llama Facts This project was originally created for the Rochester Institute of Technology (RIT) Women in Cybersecurity (WIYCS) 2022 CTF competition It is vulnerable to Server-Side Template Injection (SSTI), defined in the disputed CVE CVE-2019-8341 Challenge Description Description: A Computer Science 1 student created a website to showcase their newly-acquired python skills

References

CWE-94https://github.com/JameelNabbo/Jinja2-Code-executionhttps://www.exploit-db.com/exploits/46386/http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1677653https://bugzilla.suse.com/show_bug.cgi?id=1125815https://nvd.nist.govhttps://github.com/adindrabkin/llama_factshttps://www.exploit-db.com/exploits/46386https://access.redhat.com/security/cve/cve-2019-8341
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook