—
PYSEC-2019-220
Details
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / jinja2
Introduced in:
0 Fixed in: 9b53045c34e61013dc8f09b7e52a555fa16bed16 Fix
pip install --upgrade 'jinja2>=9b53045c34e61013dc8f09b7e52a555fa16bed16' References
- https://palletsprojects.com/blog/jinja-281-released/ [ARTICLE]
- https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 [FIX]
- https://access.redhat.com/errata/RHSA-2019:1022 [ADVISORY]
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html [WEB]
- https://access.redhat.com/errata/RHSA-2019:1237 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2019:1260 [ADVISORY]
- https://usn.ubuntu.com/4011-1/ [WEB]
- https://usn.ubuntu.com/4011-2/ [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html [WEB]
- https://access.redhat.com/errata/RHSA-2019:3964 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2019:4062 [ADVISORY]
- https://github.com/advisories/GHSA-hj2j-77xm-mc5v [ADVISORY]