CVE-2019-8341

Priority
Description
** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string
function is prone to Server Side Template Injection (SSTI) where it takes
the "source" parameter as a template object, renders it, and then returns
it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
The maintainer and multiple third parties believe that this vulnerability
isn't valid because users shouldn't use untrusted templates without
sandboxing.
Notes
leosilvafurther discussions about this CVE says it's a
invalid one. A reject was already sent to MITRE.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored (rejected by upstream)
Ubuntu 14.04 ESM (Trusty Tahr):ignored (rejected by upstream)
Ubuntu 16.04 LTS (Xenial Xerus):ignored (rejected by upstream)
Ubuntu 18.04 LTS (Bionic Beaver):ignored (rejected by upstream)
Ubuntu 19.04 (Disco Dingo):ignored (rejected by upstream)
More Information

Updated: 2019-12-05 18:51:45 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)