CVE-2024-56201

Jinja has a sandbox breakout through malicious filenames

Description

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

INFO

Published Date :

2024-12-23T15:37:36.110Z

Last Modified :

2025-02-18T21:47:42.763Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2024-56201 vulnerability.

Vendors	Products
Palletsprojects	Jinja
Redhat	Ansible Automation Platform Discovery Enterprise Linux Openshift Openshift Ai Openshift Ironic Openstack Rhdh Rhel E4s Rhel Eus Satellite Satellite Capsule

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56201.

URL	Resource
https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
https://github.com/pallets/jinja/issues/1792
https://github.com/pallets/jinja/releases/tag/3.1.5
https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
https://nvd.nist.gov/vuln/detail/CVE-2024-56201
https://www.cve.org/CVERecord?id=CVE-2024-56201