CVE-2016-10745

Impact:
Important
Public Date:
2016-12-29
CWE:
CWE-138
Bugzilla:
1698345: CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format

The MITRE CVE dictionary describes this issue as:

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Find out more about CVE-2016-10745 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

  • Red Hat OpenStack Platform is not affected by this flaw. All supported versions ship python-jinja2 packages which have already been fixed.
  • Red Hat Satellite 6 will receive fixes through the underlying Red Hat Enterprise Linux, so it will not issue updates to its own affected package.
  • Red Hat Update Infrastructure is not affected because its packaged versions of python-jinja2 do not use the Sandbox feature, nor does it allow untrusted jinja2 templates.
  • Red Hat Virtualization Management Appliance includes python-jinja2 as a dependency of ovirt-engine-backend, which only uses it with controlled format strings that are not exploitable.
  • Red Hat Ceph Storage 2 and 3 are affected by this flaw as it contains the vulnerable code and will get security fixes for python-jinja2 from Red Hat Enterprise Linux 7 channel.

CVSS v3 metrics

CVSS3 Base Score 9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (python27-python-jinja2) RHSA-2019:1260 2019-05-22
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-python35-python-jinja2) RHSA-2019:1237 2019-05-16
Red Hat Enterprise Linux 7 (python-jinja2) RHSA-2019:1022 2019-05-07
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-python35-python-jinja2) RHSA-2019:1237 2019-05-16
Red Hat Software Collections for Red Hat Enterprise Linux 7 (python27-python-jinja2) RHSA-2019:1260 2019-05-22

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-python36-python-jinja2 Not affected
Red Hat Satellite 6 python-jinja2 Will not fix
Red Hat OpenStack Platform 14.0 (Rocky) python-jinja2 Not affected
Red Hat OpenStack Platform 13.0 (Queens) python-jinja2 Not affected
Red Hat Gluster Storage 3 python-jinja2 Affected
Red Hat Enterprise Linux 8 python27:2.7/python-jinja2 Not affected
Red Hat Enterprise Linux 8 python-jinja2 Not affected
Red Hat Enterprise Linux 6 python-jinja2 Will not fix
Red Hat Ceph Storage 3 python-jinja2 Will not fix
Red Hat Ceph Storage 2 python-jinja2 Will not fix

Mitigation

If you don't want or you cannot upgrade Jinja2, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow all `format` attributes on strings.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation