suse · CVE-2019-8341

Quick triage

Priority: high Published: 2021-05-30 14:24:37 UTC Updated: 2026-03-05 06:24:52 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2019-8341 severity important: SUSE including 153 source package names (1.8.6.0.3.2.5:python3-Jinja2-2.10.1-3.5.1, 15.2.3.579.3.383:python3-Jinja2-2.10.1-3.5.1, …), 577 product×package rows across 305 product lines (Container ses/7.1/cephcsi/cephcsi, Container ses/7.1/rook/ceph, … (305 product lines)): Fixed 575, Will Not Fix 2.

Description:

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

cvelogic Threat Intelligence