Bug 2333854 (CVE-2024-56201)
| Summary: | CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenames | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, adudiak, ahrabovs, alizardo, anpicker, anthomas, aprice, aucunnin, bbrownin, bdettelb, bparees, brking, caswilli, cmyers, dfreiber, dnakabaa, doconnor, dranck, drow, dschmidt, eglynn, ehelms, erezende, ggainey, gtanzill, haoli, hasun, hkataria, jajackso, jburrell, jcammara, jchui, jdobes, jeder, jforrest, jfula, jhe, jjoyce, jkoehler, jlanda, jmitchel, jneedle, jowilson, jpretori, jsamir, jschluet, jtanner, juwatts, jwong, kaycoth, kegrant, kgaikwad, kholdawa, koliveir, kshier, ktsao, lbalhar, lbrazdil, lcouzens, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, mattdavi, mburns, mgarciac, mhulan, mminar, mpierce, mskarbek, mstoklus, mwringe, nboldt, nmoumoul, nweather, nyancey, oaljalju, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pbraun, pcreech, pgrist, psrna, ptisnovs, rbiba, rbobbitt, rchan, rhos-maint, shrjoshi, shvarugh, simaishi, smallamp, smcdonal, sskracic, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tpfromme, tvignaud, vkrizan, vkumar, xdharmai, yguenane, zkayyali |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja's sandbox being used. An attacker needs to be able to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates where the template author can also choose the template filename.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2336365, 2336366, 2333949, 2336364, 2336367, 2336368, 2336369, 2336370, 2336371, 2336372, 2336373, 2336374, 2336375, 2336376, 2336377, 2336378, 2336379, 2336380 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2024-12-23 16:01:03 UTC
This project is not affected as it does not bundle the source code of jinja2. (In reply to fedepell from comment #5) > This project is not affected as it does not bundle the source code of jinja2. Are you sure you have commented on the correct bugzilla? This is the main bug shared between all the components that ship the vulnerable source code. Lumir: you are right, sorry for this :/ Bugzilla notifications are a bit of a mess (IMO at least ;)) . Sorry again! (my comment was intended for the jinja2-time module) This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2025:0335 https://access.redhat.com/errata/RHSA-2025:0335 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:0338 https://access.redhat.com/errata/RHSA-2025:0338 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2025:0341 https://access.redhat.com/errata/RHSA-2025:0341 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:0345 https://access.redhat.com/errata/RHSA-2025:0345 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2025:0721 https://access.redhat.com/errata/RHSA-2025:0721 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2025:0722 https://access.redhat.com/errata/RHSA-2025:0722 This issue has been addressed in the following products: Ansible Automation Platform Execution Environments Via RHSA-2025:0753 https://access.redhat.com/errata/RHSA-2025:0753 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:0656 https://access.redhat.com/errata/RHSA-2025:0656 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 9 Red Hat Ansible Automation Platform 2.5 for RHEL 8 Via RHSA-2025:0777 https://access.redhat.com/errata/RHSA-2025:0777 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875 This issue has been addressed in the following products: Ansible Automation Platform Execution Environments Via RHSA-2025:1101 https://access.redhat.com/errata/RHSA-2025:1101 This issue has been addressed in the following products: Ironic content for Red Hat OpenShift Container Platform 4.12 Red Hat OpenShift Container Platform 4.12 Via RHSA-2025:0834 https://access.redhat.com/errata/RHSA-2025:0834 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2025:0842 https://access.redhat.com/errata/RHSA-2025:0842 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2025:0830 https://access.redhat.com/errata/RHSA-2025:0830 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2025:1123 https://access.redhat.com/errata/RHSA-2025:1123 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2025:1130 https://access.redhat.com/errata/RHSA-2025:1130 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2025:1118 https://access.redhat.com/errata/RHSA-2025:1118 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2025:1861 https://access.redhat.com/errata/RHSA-2025:1861 This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2025:3491 https://access.redhat.com/errata/RHSA-2025:3491 |