Vulnerabilities in Jinja Templating Engine Affecting Application Security
CVE-2024-56201

5.4MEDIUM

Key Information:

Vendor: Pallets
Status: Jinja
Vendor: CVE Published:; 23 December 2024

What is CVE-2024-56201?

An issue was identified in the Jinja templating engine that poses a significant security risk to applications that execute untrusted templates. Before version 3.1.5, a flaw in the Jinja compiler could be exploited by an attacker who has the capability to control both the content and the filename of a template. This vulnerability allows for arbitrary Python code execution, even when using Jinja's sandbox features. The impact of this vulnerability is particularly relevant to applications that allow template authors to define both the content and filenames of templates. The issue has been rectified in Jinja version 3.1.5, making it critical for users to upgrade to this version to mitigate potential attacks.

Affected Version(s)

jinja >= 3.0.0, < 3.1.5

References

https://github.com/pallets/jinja/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/pallets/jinja/issues/1792

x_refsource_MISC

https://github.com/pallets/jinja/commit/767b23617628419ae...

x_refsource_MISC

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 23, 2024
Vulnerability Reserved
Dec 18, 2024

Pallets

What is CVE-2024-56201?

Affected Version(s)

References

CVSS V4

Timeline