CVE-2016-10745

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

https://access.redhat.com/errata/RHSA-2019:1022

https://access.redhat.com/errata/RHSA-2019:1237

https://access.redhat.com/errata/RHSA-2019:1260

https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16

https://palletsprojects.com/blog/jinja-281-released/

https://usn.ubuntu.com/4011-1/

https://usn.ubuntu.com/4011-2/

Details

Source: MITRE

Published: 2019-04-08

Updated: 2019-06-06

Type: CWE-134

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Impact Score: 4

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:palletsprojects:jinja:*:*:*:*:*:*:*:*

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
131677RHEL 7 : python-jinja2 (RHSA-2019:4062)NessusRed Hat Local Security Checks
high
131374RHEL 7 : python-jinja2 (RHSA-2019:3964)NessusRed Hat Local Security Checks
high
129193EulerOS 2.0 SP3 : python-jinja2 (EulerOS-SA-2019-2000)NessusHuawei Local Security Checks
high
127294NewStart CGSL CORE 5.05 / MAIN 5.05 : python-jinja2 Vulnerability (NS-SA-2019-0082)NessusNewStart CGSL Local Security Checks
high
127288NewStart CGSL CORE 5.04 / MAIN 5.04 : python-jinja2 Vulnerability (NS-SA-2019-0078)NessusNewStart CGSL Local Security Checks
high
126850EulerOS 2.0 SP2 : python-jinja2 (EulerOS-SA-2019-1722)NessusHuawei Local Security Checks
high
126831Amazon Linux 2 : python-jinja2 (ALAS-2019-1223)NessusAmazon Linux Local Security Checks
high
126233openSUSE Security Update : python-Jinja2 (openSUSE-2019-1614)NessusSuSE Local Security Checks
critical
125902Amazon Linux AMI : python-jinja2 (ALAS-2019-1223)NessusAmazon Linux Local Security Checks
high
125772Ubuntu 14.04 LTS : jinja2 vulnerabilities (USN-4011-2)NessusUbuntu Local Security Checks
high
125771Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : jinja2 vulnerabilities (USN-4011-1)NessusUbuntu Local Security Checks
high
125571EulerOS Virtualization for ARM 64 3.0.2.0 : python-jinja2 (EulerOS-SA-2019-1619)NessusHuawei Local Security Checks
high
125522EulerOS 2.0 SP5 : python-jinja2 (EulerOS-SA-2019-1595)NessusHuawei Local Security Checks
high
125107Oracle Linux 7 : python-jinja2 (ELSA-2019-1022)NessusOracle Linux Local Security Checks
high
125022openSUSE Security Update : python-Jinja2 (openSUSE-2019-1395)NessusSuSE Local Security Checks
critical
125016Scientific Linux Security Update : python-jinja2 on SL7.x (noarch) (20190507)NessusScientific Linux Local Security Checks
high
124872CentOS 7 : python-jinja2 (CESA-2019:1022)NessusCentOS Local Security Checks
high
124692RHEL 7 : python-jinja2 (RHSA-2019:1022)NessusRed Hat Local Security Checks
high