Improper Neutralization of Special Elements

CVE-2019-10906

High

8.6/10

Summary

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-138 - Improper Neutralization of Special Elements

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

References

Advisory
Release Note
Issue

Advisory Timeline

Published Apr 07, 2019

Improper Neutralization of Special Elements

CVE-2019-10906

Summary

CWE-138 - Improper Neutralization of Special Elements

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS