chore(deps): update dependency jinja2 to v3.1.5 [security] #2137
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @renovate[bot]. Thanks for your PR. I'm waiting for a janus-idp member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
d2df7e8 to
91f5ca0
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
91f5ca0 to
4e5a5be
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
4e5a5be to
bd174fe
Compare
|
The image is available at: |
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
bd174fe to
3a00c5d
Compare
|
The image is available at: |
This PR contains the following updates:
==3.1.4->==3.1.5GitHub Vulnerability Alerts
CVE-2024-56326
An oversight in how the Jinja sandboxed environment detects calls to
str.formatallows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string'sformatmethod, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.CVE-2024-56201
A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.
To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.
Jinja has a sandbox breakout through indirect reference to format method
CVE-2024-56326 / GHSA-q2x7-8rv6-6q7h
More information
Details
An oversight in how the Jinja sandboxed environment detects calls to
str.formatallows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string'sformatmethod, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Jinja has a sandbox breakout through malicious filenames
CVE-2024-56201 / GHSA-gmj6-6f8f-6699
More information
Details
A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.
To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pallets/jinja (jinja2)
v3.1.5Compare Source
Unreleased
renderfor an async template usesasyncio.run.:pr:
1952auto_aiterwarnings. :pr:1960aclose-ableAsyncGeneratorfromTemplate.generate_async. :pr:1960root_render_func()unclosed inTemplate.generate_async. :pr:1960:pr:
1960Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.