Sign In

CVE-2024-56201

ADVISORY - github

Summary

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

EPSS Score: 0.00064 (0.203)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

ADVISORY - github

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in