From 2d172b3f24444d56d161d1f25256eac3d7c96a79 Mon Sep 17 00:00:00 2001
From: ostorlab <support@ostorlab.co>
Date: Fri, 26 Jan 2024 14:33:05 +0100
Subject: [PATCH] Feature/Scan fingerprints

---
 tests/api_manager/osv_service_api_test.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tests/api_manager/osv_service_api_test.py b/tests/api_manager/osv_service_api_test.py
index a12079a..78fa870 100644
--- a/tests/api_manager/osv_service_api_test.py
+++ b/tests/api_manager/osv_service_api_test.py
@@ -2,9 +2,6 @@
 from agent.api_manager import osv_service_api
 
 
-OSV_OUTPUT = '{"vulns":[{"id":"GHSA-462w-v97r-4m45","summary":"Jinja2 sandbox escape via string formatting","details":"In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape.\\n\\nThe sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox.\\n\\nThis issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods.\\n\\nIf you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.","aliases":["CVE-2019-10906","PYSEC-2019-217"],"modified":"2023-11-08T04:00:58.644982Z","published":"2019-04-10T14:30:24Z","database_specific":{"github_reviewed_at":"2020-06-16T20:57:35Z","github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-693"],"nvd_published_at":"2019-04-07T00:29:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10906"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1152"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1237"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1329"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-462w-v97r-4m45"},{"type":"WEB","url":"https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"},{"type":"WEB","url":"https://palletsprojects.com/blog/jinja-2-10-1-released"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-2/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.1"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.10","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-462w-v97r-4m45/GHSA-462w-v97r-4m45.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]},{"id":"GHSA-8r7q-cvjq-x353","summary":"Incorrect Privilege Assignment in Jinja2","details":"The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.","aliases":["CVE-2014-1402","PYSEC-2014-8"],"modified":"2023-11-08T03:57:34.512953Z","published":"2022-05-14T04:04:14Z","database_specific":{"cwe_ids":["CWE-266"],"github_reviewed":true,"severity":"MODERATE","github_reviewed_at":"2022-07-07T22:50:31Z","nvd_published_at":"2014-05-19T14:55:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1402"},{"type":"WEB","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051421"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8r7q-cvjq-x353"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-8.yaml"},{"type":"WEB","url":"https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html"},{"type":"WEB","url":"http://advisories.mageia.org/MGASA-2014-0028.html"},{"type":"WEB","url":"http://jinja.pocoo.org/docs/changelog/"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/01/10/2"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/01/10/3"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2014-0747.html"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2014-0748.html"},{"type":"WEB","url":"http://secunia.com/advisories/56287"},{"type":"WEB","url":"http://secunia.com/advisories/58783"},{"type":"WEB","url":"http://secunia.com/advisories/58918"},{"type":"WEB","url":"http://secunia.com/advisories/59017"},{"type":"WEB","url":"http://secunia.com/advisories/60738"},{"type":"WEB","url":"http://secunia.com/advisories/60770"},{"type":"WEB","url":"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"},{"type":"WEB","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2014:096"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.2"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r7q-cvjq-x353/GHSA-8r7q-cvjq-x353.json"}}],"schema_version":"1.6.0"},{"id":"GHSA-fqh9-2qgg-h84h","summary":"Insecure Temporary File in Jinja2","details":"FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\'s uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.","aliases":["CVE-2014-0012","PYSEC-2014-82"],"modified":"2023-11-08T03:57:29.971954Z","published":"2022-05-17T04:01:00Z","database_specific":{"cwe_ids":["CWE-377"],"github_reviewed":true,"severity":"MODERATE","github_reviewed_at":"2023-02-14T00:58:39Z","nvd_published_at":"2014-05-19T14:55:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0012"},{"type":"WEB","url":"https://github.com/pallets/jinja2/pull/292"},{"type":"WEB","url":"https://github.com/pallets/jinja2/pull/296"},{"type":"WEB","url":"https://github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa7"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051421"},{"type":"PACKAGE","url":"https://github.com/pallets/jinja2"},{"type":"WEB","url":"http://seclists.org/oss-sec/2014/q1/73"},{"type":"WEB","url":"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.2"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fqh9-2qgg-h84h/GHSA-fqh9-2qgg-h84h.json"}}],"schema_version":"1.6.0"},{"id":"GHSA-g3rq-g295-4j3m","summary":"Regular Expression Denial of Service (ReDoS) in Jinja2","details":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.","aliases":["CVE-2020-28493","PYSEC-2021-66","SNYK-PYTHON-JINJA2-1012994"],"modified":"2023-11-08T04:03:28.543308Z","published":"2021-03-19T21:28:05Z","database_specific":{"cwe_ids":["CWE-400"],"github_reviewed":true,"severity":"MODERATE","github_reviewed_at":"2021-03-13T01:08:09Z","nvd_published_at":"2021-02-01T20:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28493"},{"type":"WEB","url":"https://github.com/pallets/jinja/pull/1343"},{"type":"WEB","url":"https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d"},{"type":"PACKAGE","url":"https://github.com/pallets/jinja"},{"type":"WEB","url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202107-19"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.11.3"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.10","2.10.1","2.10.2","2.10.3","2.11.0","2.11.1","2.11.2","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"ecosystem_specific":{"affected_functions":["jinja2.utils.urlize"]},"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g3rq-g295-4j3m/GHSA-g3rq-g295-4j3m.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]},{"id":"GHSA-h5c8-rqwp-cp95","summary":"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter","details":"The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.","aliases":["CVE-2024-22195"],"modified":"2024-01-25T03:46:07.488106Z","published":"2024-01-11T15:20:48Z","database_specific":{"github_reviewed_at":"2024-01-11T15:20:48Z","github_reviewed":true,"severity":"MODERATE","cwe_ids":["CWE-79"],"nvd_published_at":"2024-01-11T03:15:11Z"},"references":[{"type":"WEB","url":"https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22195"},{"type":"WEB","url":"https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7"},{"type":"PACKAGE","url":"https://github.com/pallets/jinja"},{"type":"WEB","url":"https://github.com/pallets/jinja/releases/tag/3.1.3"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.3"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.10","2.10.1","2.10.2","2.10.3","2.11.0","2.11.1","2.11.2","2.11.3","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","3.0.0","3.0.0a1","3.0.0rc1","3.0.0rc2","3.0.1","3.0.2","3.0.3","3.1.0","3.1.1","3.1.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h5c8-rqwp-cp95/GHSA-h5c8-rqwp-cp95.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}]},{"id":"GHSA-hj2j-77xm-mc5v","summary":"High severity vulnerability that affects Jinja2","details":"In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.","aliases":["CVE-2016-10745","PYSEC-2019-220"],"modified":"2023-11-08T03:58:21.453618Z","published":"2019-04-10T14:30:13Z","database_specific":{"cwe_ids":["CWE-134"],"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2020-06-16T21:40:24Z","nvd_published_at":null},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10745"},{"type":"WEB","url":"https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1022"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1237"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1260"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3964"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:4062"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hj2j-77xm-mc5v"},{"type":"PACKAGE","url":"https://github.com/pallets/jinja"},{"type":"WEB","url":"https://palletsprojects.com/blog/jinja-281-released/"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-2/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.1"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-hj2j-77xm-mc5v/GHSA-hj2j-77xm-mc5v.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]},{"id":"PYSEC-2014-8","details":"The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.","aliases":["CVE-2014-1402","GHSA-8r7q-cvjq-x353"],"modified":"2023-11-08T03:57:34.512953Z","published":"2014-05-19T14:55:00Z","references":[{"type":"WEB","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747"},{"type":"ADVISORY","url":"http://advisories.mageia.org/MGASA-2014-0028.html"},{"type":"WEB","url":"http://jinja.pocoo.org/docs/changelog/"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/01/10/3"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051421"},{"type":"ADVISORY","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2014:096"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/01/10/2"},{"type":"ADVISORY","url":"http://secunia.com/advisories/59017"},{"type":"ADVISORY","url":"http://secunia.com/advisories/58918"},{"type":"ADVISORY","url":"http://secunia.com/advisories/60770"},{"type":"ADVISORY","url":"http://secunia.com/advisories/60738"},{"type":"ADVISORY","url":"http://secunia.com/advisories/56287"},{"type":"WEB","url":"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"},{"type":"WEB","url":"https://oss.oracle.com/pipermail/el-errata/2014-June/004192.html"},{"type":"ADVISORY","url":"http://secunia.com/advisories/58783"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-0748.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-0747.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8r7q-cvjq-x353"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.2"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2014-8.yaml"}}],"schema_version":"1.6.0"},{"id":"PYSEC-2014-82","details":"FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\'s uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.","aliases":["CVE-2014-0012","GHSA-fqh9-2qgg-h84h"],"modified":"2023-11-08T03:57:29.971954Z","published":"2014-05-19T14:55:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1051421"},{"type":"WEB","url":"https://github.com/mitsuhiko/jinja2/pull/292"},{"type":"FIX","url":"https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"},{"type":"WEB","url":"http://seclists.org/oss-sec/2014/q1/73"},{"type":"WEB","url":"https://github.com/mitsuhiko/jinja2/pull/296"},{"type":"ADVISORY","url":"http://secunia.com/advisories/60738"},{"type":"WEB","url":"http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"},{"type":"ADVISORY","url":"http://secunia.com/advisories/56328"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"GIT","repo":"https://github.com/mitsuhiko/jinja2","events":[{"introduced":"0"},{"fixed":"acb672b6a179567632e032f547582f30fa2f4aa7"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.3"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2014-82.yaml"}}],"schema_version":"1.6.0"},{"id":"PYSEC-2019-217","details":"In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.","aliases":["CVE-2019-10906","GHSA-462w-v97r-4m45"],"modified":"2023-11-08T04:00:58.644982Z","published":"2019-04-07T00:29:00Z","references":[{"type":"ARTICLE","url":"https://palletsprojects.com/blog/jinja-2-10-1-released"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1152"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1237"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1329"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-2/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-462w-v97r-4m45"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.1"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.10","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2019-217.yaml"}}],"schema_version":"1.6.0"},{"id":"PYSEC-2019-220","details":"In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.","aliases":["CVE-2016-10745","GHSA-hj2j-77xm-mc5v"],"modified":"2023-11-08T03:58:21.453618Z","published":"2019-04-08T13:29:00Z","references":[{"type":"ARTICLE","url":"https://palletsprojects.com/blog/jinja-281-released/"},{"type":"FIX","url":"https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1022"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1237"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1260"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4011-2/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3964"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4062"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hj2j-77xm-mc5v"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"GIT","repo":"https://github.com/pallets/jinja","events":[{"introduced":"0"},{"fixed":"9b53045c34e61013dc8f09b7e52a555fa16bed16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.1"}]}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2019-220.yaml"}}],"schema_version":"1.6.0"},{"id":"PYSEC-2021-66","details":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.","aliases":["CVE-2020-28493","GHSA-g3rq-g295-4j3m","SNYK-PYTHON-JINJA2-1012994"],"modified":"2023-11-08T04:03:28.543308Z","published":"2021-02-01T20:15:00Z","references":[{"type":"WEB","url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"},{"type":"WEB","url":"https://github.com/pallets/jinja/pull/1343"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-g3rq-g295-4j3m"}],"affected":[{"package":{"name":"jinja2","ecosystem":"PyPI","purl":"pkg:pypi/jinja2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.11.3"}]}],"versions":["2.0rc1","2.0","2.1","2.1.1","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.10","2.10.1","2.10.2","2.10.3","2.11.0","2.11.1","2.11.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2021-66.yaml"}}],"schema_version":"1.6.0"}]}'
-
-
 def testQueryOSVOutput_withPackage_returnListOfVulnerabilities() -> None:
     """Send request to osv and get the vulnerabilities."""
     osv_output = osv_service_api.query_osv_api(