CVE-2019-10906

High

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

mitre·NVD-CWE-noinfo·Published 2019-04-06

CVSS

8.6

EPSS

0.04

KEV

Exploits

Vendor statements (10)

cve.orgen

71 chars

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

GHSAen

700 chars

In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox. This issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods. If you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.

NVDes

99 chars

En Pallets Jinja, en versiones anteriores a la 2.10.1, str.format_map permite un escape de sandbox.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
3.1	Primary	NVD	8.6	3.9	4.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
3.1	Secondary	GHSA	8.6	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0	Secondary	GHSA	7.7	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N