AI description
CVE-2024-56326 is a template injection vulnerability found in the Jinja templating engine before version 3.1.5. The vulnerability stems from an oversight in Jinja's sandboxed environment, specifically in how it handles calls to Python's `str.format` function. This flaw allows attackers who can control template content to bypass the sandbox and execute arbitrary Python code. Exploitation of this vulnerability requires an attacker to have control over the content of a Jinja template. By manipulating the template content to include specific calls to the `str.format` method, the attacker can escape the sandboxed environment and execute unintended Python code on the server.
- Description
- Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 5.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-693
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
3
do not overlook SSTI, I asked the team for the flaw (I was curious how SSIT could even occur these days) and they told me that they were vulnerable to CVE-2024-56326 :-] https://t.co/tbKv6upuoW
@YShahinzadeh
21 Feb 2025
7433 Impressions
13 Retweets
366 Likes
84 Bookmarks
5 Replies
0 Quotes
Jinja2のCVE-2024-56326が本文中で "This vulnerability is rated as Moderate" と言いつつImportanr 6.3になっていますがCVE-2024-56201(Important 7.3)の合わせ技か何かで再評価されたのかな // CVE-2024-56326 - Red Hat Customer Portal https://t.co/XN8odLmQDT
@w4yh
24 Jan 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-56326 (CVSS:7.8, HIGH) is Awaiting Analysis. Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects ca..https://t.co/GVNBnApSlt #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
28 Dec 2024
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-56326 (CVSS:10.0, CRITICAL) is Awaiting Analysis. Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects ca..https://t.co/GVNBnApSlt #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
27 Dec 2024
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-56326 Arbitrary Code Execution Vulnerability in Jinja Template ... https://t.co/h5rdRdvx8X Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd
@VulmonFeeds
23 Dec 2024
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-56326 Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that cont… https://t.co/y7mXyQREdo
@CVEnew
23 Dec 2024
472 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes