Vulnerabilities > CVE-2016-10745 - Use of Externally-Controlled Format String vulnerability in Palletsprojects Jinja

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
palletsprojects
CWE-134
nessus

Summary

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0082_PYTHON-JINJA2.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python-jinja2 packages installed that are affected by a vulnerability: - In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. (CVE-2016-10745) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127294
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127294
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : python-jinja2 Vulnerability (NS-SA-2019-0082)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0082. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127294);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id("CVE-2016-10745");
    
      script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : python-jinja2 Vulnerability (NS-SA-2019-0082)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python-jinja2 packages installed that are
    affected by a vulnerability:
    
      - In Pallets Jinja before 2.8.1, str.format allows a
        sandbox escape. (CVE-2016-10745)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0082");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL python-jinja2 packages. Note that updated packages may not be available yet. Please contact
    ZTE for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10745");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.05" &&
        release !~ "CGSL MAIN 5.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.05": [
        "python-jinja2-2.7.2-3.el7_6"
      ],
      "CGSL MAIN 5.05": [
        "python-jinja2-2.7.2-3.el7_6"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-jinja2");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1022.NASL
    descriptionFrom Red Hat Security Advisory 2019:1022 : An update for python-jinja2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es) : * python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id125107
    published2019-05-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125107
    titleOracle Linux 7 : python-jinja2 (ELSA-2019-1022)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2019:1022 and 
    # Oracle Linux Security Advisory ELSA-2019-1022 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125107);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/17");
    
      script_cve_id("CVE-2016-10745");
      script_xref(name:"RHSA", value:"2019:1022");
    
      script_name(english:"Oracle Linux 7 : python-jinja2 (ELSA-2019-1022)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2019:1022 :
    
    An update for python-jinja2 is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The python-jinja2 package contains Jinja2, a template engine written
    in pure Python. Jinja2 provides a Django inspired non-XML syntax but
    supports inline expressions and an optional sandboxed environment.
    
    Security Fix(es) :
    
    * python-jinja2: Sandbox escape due to information disclosure via
    str.format (CVE-2016-10745)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-May/008705.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected python-jinja2 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-jinja2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-jinja2-2.7.2-3.el7_6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-jinja2");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1722.NASL
    descriptionAccording to the version of the python-jinja2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-07-22
    plugin id126850
    published2019-07-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126850
    titleEulerOS 2.0 SP2 : python-jinja2 (EulerOS-SA-2019-1722)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126850);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2016-10745"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : python-jinja2 (EulerOS-SA-2019-1722)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the python-jinja2 package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - python-jinja2: Sandbox escape due to information
        disclosure via str.format (CVE-2016-10745)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1722
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?145ae29b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected python-jinja2 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-jinja2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["python-jinja2-2.7.2-2.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-jinja2");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1595.NASL
    descriptionAccording to the version of the python-jinja2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-05-29
    plugin id125522
    published2019-05-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125522
    titleEulerOS 2.0 SP5 : python-jinja2 (EulerOS-SA-2019-1595)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125522);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2016-10745"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : python-jinja2 (EulerOS-SA-2019-1595)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the python-jinja2 package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - python-jinja2: Sandbox escape due to information
        disclosure via str.format (CVE-2016-10745)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1595
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?15056586");
      script_set_attribute(attribute:"solution", value:
    "Update the affected python-jinja2 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-jinja2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["python-jinja2-2.7.2-2.h1.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-jinja2");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1395.NASL
    descriptionThis update for python-Jinja2 to version 2.10.1 fixes the following issues : Security issues fixed : - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id125022
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125022
    titleopenSUSE Security Update : python-Jinja2 (openSUSE-2019-1395)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4011-1.NASL
    descriptionOlivier Dony discovered that Jinja incorrectly handled str.format. An attacker could possibly use this issue to escape the sandbox. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10745) Brian Welch discovered that Jinja incorrectly handled str.format_map. An attacker could possibly use this issue to escape the sandbox. (CVE-2019-10906). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125771
    published2019-06-07
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125771
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : jinja2 vulnerabilities (USN-4011-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4011-2.NASL
    descriptionUSN-4011-1 fixed several vulnerabilities in Jinja2. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details : Olivier Dony discovered that Jinja incorrectly handled str.format. An attacker could possibly use this issue to escape the sandbox. (CVE-2016-10745) Brian Welch discovered that Jinja incorrectly handled str.format_map. An attacker could possibly use this issue to escape the sandbox. (CVE-2019-10906). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125772
    published2019-06-07
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125772
    titleUbuntu 14.04 LTS : jinja2 vulnerabilities (USN-4011-2)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2000.NASL
    descriptionAccording to the version of the python-jinja2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-24
    plugin id129193
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129193
    titleEulerOS 2.0 SP3 : python-jinja2 (EulerOS-SA-2019-2000)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1223.NASL
    descriptionIn Pallets Jinja, str.format allows a sandbox escape. (CVE-2016-10745)
    last seen2020-06-01
    modified2020-06-02
    plugin id126831
    published2019-07-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126831
    titleAmazon Linux 2 : python-jinja2 (ALAS-2019-1223)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1619.NASL
    descriptionAccording to the version of the python-jinja2 package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.(CVE-2016-10745) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125571
    published2019-05-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125571
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : python-jinja2 (EulerOS-SA-2019-1619)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-4062.NASL
    descriptionAn update for python-jinja2 is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es) : * python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id131677
    published2019-12-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131677
    titleRHEL 7 : python-jinja2 (RHSA-2019:4062)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190507_PYTHON_JINJA2_ON_SL7_X.NASL
    description* python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745)
    last seen2020-03-18
    modified2019-05-14
    plugin id125016
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125016
    titleScientific Linux Security Update : python-jinja2 on SL7.x (noarch) (20190507)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1022.NASL
    descriptionAn update for python-jinja2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es) : * python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id124692
    published2019-05-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124692
    titleRHEL 7 : python-jinja2 (RHSA-2019:1022)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1022.NASL
    descriptionAn update for python-jinja2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es) : * python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id124872
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124872
    titleCentOS 7 : python-jinja2 (CESA-2019:1022)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1223.NASL
    descriptionIn Pallets Jinja, str.format allows a sandbox escape. (CVE-2016-10745)
    last seen2020-06-01
    modified2020-06-02
    plugin id125902
    published2019-06-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125902
    titleAmazon Linux AMI : python-jinja2 (ALAS-2019-1223)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3964.NASL
    descriptionAn update for python-jinja2 is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es) : * python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id131374
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131374
    titleRHEL 7 : python-jinja2 (RHSA-2019:3964)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0078_PYTHON-JINJA2.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-jinja2 packages installed that are affected by a vulnerability: - In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. (CVE-2016-10745) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127288
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127288
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : python-jinja2 Vulnerability (NS-SA-2019-0078)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1614.NASL
    descriptionThis update for python-Jinja2 fixes the following issues : Security issues fixed : - CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format (bsc#1132174). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). - CVE-2019-8341: Fixed command injection in function from_string (bsc#1125815). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id126233
    published2019-06-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126233
    titleopenSUSE Security Update : python-Jinja2 (openSUSE-2019-1614)

Redhat

advisories
  • bugzilla
    id1698345
    titleCVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • commentpython-jinja2 is earlier than 0:2.7.2-3.el7_6
        ovaloval:com.redhat.rhsa:tst:20191022001
      • commentpython-jinja2 is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20140747002
    rhsa
    idRHSA-2019:1022
    released2019-05-07
    severityImportant
    titleRHSA-2019:1022: python-jinja2 security update (Important)
  • rhsa
    idRHSA-2019:1237
  • rhsa
    idRHSA-2019:1260
  • rhsa
    idRHSA-2019:3964
  • rhsa
    idRHSA-2019:4062
rpms
  • python-jinja2-0:2.7.2-3.el7_6
  • rh-python35-python-jinja2-0:2.8.1-2.el6
  • rh-python35-python-jinja2-0:2.8.1-2.el7
  • python27-python-0:2.7.16-4.el6
  • python27-python-0:2.7.16-4.el7
  • python27-python-debug-0:2.7.16-4.el6
  • python27-python-debug-0:2.7.16-4.el7
  • python27-python-debuginfo-0:2.7.16-4.el6
  • python27-python-debuginfo-0:2.7.16-4.el7
  • python27-python-devel-0:2.7.16-4.el6
  • python27-python-devel-0:2.7.16-4.el7
  • python27-python-jinja2-0:2.6-12.el6
  • python27-python-jinja2-0:2.6-15.el7
  • python27-python-libs-0:2.7.16-4.el6
  • python27-python-libs-0:2.7.16-4.el7
  • python27-python-test-0:2.7.16-4.el6
  • python27-python-test-0:2.7.16-4.el7
  • python27-python-tools-0:2.7.16-4.el6
  • python27-python-tools-0:2.7.16-4.el7
  • python27-tkinter-0:2.7.16-4.el6
  • python27-tkinter-0:2.7.16-4.el7
  • python-jinja2-0:2.7.2-3.el7_5
  • python-jinja2-0:2.7.2-3.el7_4