CVE-2024-56326Protection Mechanism Failure in Jinja

CWE-693Protection Mechanism FailureCWE-1336Improper Neutralization of Special Elements Used in a Template EngineCWE-94Code Injection12 documents8 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 43.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pallets JinjaPocoo Jinja2Palletsprojects Jinja
Timeline
PublishedDec 23
Latest updateMar 11

Description

Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

PyPIpocoo/jinja2< 3.1.5
CVEListV5pallets/jinja< 3.1.5
Debianpocoo/jinja2< 2.11.3-1+deb11u3+3
Ubuntupocoo/jinja2< 2.10.1-2ubuntu0.4+3

Patches

Patch: github.com

🔴Vulnerability Details

6
OSV
jinja2 vulnerabilities2025-03-11
OSV
jinja2 vulnerabilities2025-01-30
CVEList
Jinja has a sandbox breakout through indirect reference to format method2024-12-23
OSV
Jinja has a sandbox breakout through indirect reference to format method2024-12-23
OSV
CVE-2024-56326: Jinja is an extensible templating engine2024-12-23

📋Vendor Advisories

5
Ubuntu
Jinja2 vulnerabilities2025-03-11
Ubuntu
Jinja2 vulnerabilities2025-01-30
Red Hat
jinja2: Jinja has a sandbox breakout through indirect reference to format method2024-12-23
Microsoft
Jinja has a sandbox breakout through indirect reference to format method2024-12-10
Debian
CVE-2024-56326: jinja2 - Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how th...2024
CVE-2024-56326 — Protection Mechanism Failure in Jinja | cvebase