CVE-2016-10745: Use of Externally-Controlled Format String
(updated )
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
References
- lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
- access.redhat.com/errata/RHSA-2019:1022
- access.redhat.com/errata/RHSA-2019:1237
- access.redhat.com/errata/RHSA-2019:1260
- access.redhat.com/errata/RHSA-2019:3964
- access.redhat.com/errata/RHSA-2019:4062
- github.com/advisories/GHSA-hj2j-77xm-mc5v
- github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
- nvd.nist.gov/vuln/detail/CVE-2016-10745
- palletsprojects.com/blog/jinja-281-released/
- usn.ubuntu.com/4011-1/
- usn.ubuntu.com/4011-2/
Detect and mitigate CVE-2016-10745 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →