VDB
DEBIAN-CVE-2019-8341
DEBIAN-CVE-2019-8341
PUBLISHED
CVSS 9.800000190734863 CRITICAL
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | jinja2 | 0, 3.1.6-1, 3.1.6-2 |
| Debian:13 | jinja2 | 0, 3.1.6-2, 0 |
| Debian:11 | jinja2 | 3.1.3-1.1, 2.11.3-1, 2.11.3-1+deb11u1 |
| Debian:12 | jinja2 | 3.1.3-2, 3.1.5-1, 3.1.5-2 |
Timeline
- Feb 15, 2019 CVE Published
- Apr 28, 2026 CVE Updated