[Snyk: Medium] Improper Neutralization and Template Injection #6617
Labels
Security: moderate
Remediate within 60 days
Milestone
Comments
3 tasks
This was referenced Jan 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Introduced through
[email protected] and [email protected]
Fixed in
[email protected]
Exploit maturity
No known exploit
Detailed paths and remediation
Introduced through: root@* › [email protected]
Fix: Upgrade jinja2 to version 3.1.5
Introduced through: root@* › [email protected] › [email protected]
Fix: Pin jinja2 to version 3.1.5
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 5.4 - Medium Severity | CVSS v3.1 6.7 - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Improper Neutralization when importing a macro in a template whose filename is also a template. This will result in a SyntaxError: f-string: invalid syntax error message because the filename is not properly escaped, indicating that it is being treated as a format string.
Note: This is only exploitable when the attacker controls both the content and filename of a template and the application executes untrusted templates.
Completion Criteria
The text was updated successfully, but these errors were encountered: