EIQ-2019-0017

ID	EIQ-2019-0017
CVE	CVE-2019-10906
Description	Jinja2 2.10 and earlier allows sandbox escape
Date	15 Apr 2019
Severity	3 - HIGH
CVSSv3 score	8.6
Status	All versions
Assessment	The Python `str.format_map` method in Jinja2 versions 2.10 and earlier allows escaping the sandbox. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. An attacker could bypass security restrictions and escape the sandbox environment to carry out further attacks, and to execute malicious commands on the targeted system. It is possible to exploit the vulnerability only on systems that accept templates from untrusted sources. The vulnerability does not affect EclecticIQ Platform because the platform does not load Jinja2 templates from external sources. Therefore, there is no exposure surface to exploit the vulnerability in the platform.
Mitigation	Upgrade Jinja2 to version 2.10.1 or later.
Affected versions	None
Notes	For more information, see: Jinja 2.10.1 Security Release CIRCL CVE-2019-10906 report Snyk CVE-2019-10906 report Cisco Advisories and Alerts ID 59936 Cisco Advisories and Alerts ID 59937

In release notes 2.4.0