Skip to main content

Protection Mechanism Failure

CVE-2024-56326

Severity Medium
Score 5.4/10

Summary

Jinja is an extensible templating engine. In affected versions, an oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, and then pass that to a filter that calls it. No such filters are built-in to Jinja, but they could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This issue affects Jinja2 versions prior to 3.1.5.

  • LOW
  • LOCAL
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-693 - Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Advisory Timeline

  • Published