EIQ-2019-0017



ID

EIQ-2019-0017

CVE

CVE-2019-10906

Description

Jinja2 2.10 and earlier allows sandbox escape

Date

15 Apr 2019

Severity

3 - HIGH

CVSSv3 score

8.6

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

The Python str.format_map method in Jinja2 versions 2.10 and earlier allows escaping the sandbox.

An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system.
An attacker could bypass security restrictions and escape the sandbox environment to carry out further attacks, and to execute malicious commands on the targeted system.

It is possible to exploit the vulnerability only on systems that accept templates from untrusted sources.

The vulnerability does not affect EclecticIQ Platform because the platform does not load Jinja2 templates from external sources.
Therefore, there is no exposure surface to exploit the vulnerability in the platform.

Mitigation

Upgrade Jinja2 to version 2.10.1 or later.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0