Bug 2333854 (CVE-2024-56201) - CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenames
Summary: CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenames
Keywords:
Status: NEW
Alias: CVE-2024-56201
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2336364 2336365 2336366 2333949 2336367 2336368 2336369 2336370 2336371 2336372 2336373 2336374 2336375 2336376 2336377 2336378 2336379 2336380
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-23 16:01 UTC by OSIDB Bzimport
Modified: 2025-06-17 08:28 UTC (History)
103 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:0897 0 None None None 2025-02-03 15:14:20 UTC
Red Hat Product Errata RHSA-2025:0335 0 None None None 2025-01-15 14:52:55 UTC
Red Hat Product Errata RHSA-2025:0338 0 None None None 2025-01-15 15:36:56 UTC
Red Hat Product Errata RHSA-2025:0341 0 None None None 2025-01-15 19:35:37 UTC
Red Hat Product Errata RHSA-2025:0345 0 None None None 2025-01-15 21:38:56 UTC
Red Hat Product Errata RHSA-2025:0656 0 None None None 2025-01-28 04:56:44 UTC
Red Hat Product Errata RHSA-2025:0721 0 None None None 2025-01-27 19:30:22 UTC
Red Hat Product Errata RHSA-2025:0722 0 None None None 2025-01-27 22:41:09 UTC
Red Hat Product Errata RHSA-2025:0753 0 None None None 2025-01-28 01:05:02 UTC
Red Hat Product Errata RHSA-2025:0777 0 None None None 2025-01-28 19:17:13 UTC
Red Hat Product Errata RHSA-2025:0830 0 None None None 2025-02-10 06:12:39 UTC
Red Hat Product Errata RHSA-2025:0834 0 None None None 2025-02-06 01:11:31 UTC
Red Hat Product Errata RHSA-2025:0842 0 None None None 2025-02-06 15:43:09 UTC
Red Hat Product Errata RHSA-2025:0875 0 None None None 2025-02-05 10:50:04 UTC
Red Hat Product Errata RHSA-2025:1101 0 None None None 2025-02-05 20:24:57 UTC
Red Hat Product Errata RHSA-2025:1118 0 None None None 2025-02-13 02:40:08 UTC
Red Hat Product Errata RHSA-2025:1123 0 None None None 2025-02-12 00:13:33 UTC
Red Hat Product Errata RHSA-2025:1130 0 None None None 2025-02-12 04:02:12 UTC
Red Hat Product Errata RHSA-2025:1861 0 None None None 2025-02-25 19:36:10 UTC
Red Hat Product Errata RHSA-2025:3491 0 None None None 2025-04-01 15:13:17 UTC

Description OSIDB Bzimport 2024-12-23 16:01:03 UTC 
Jinja is an extensible templating engine. Prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.
Comment 5 fedepell 2025-01-09 13:56:05 UTC 
This project is not affected as it does not bundle the source code of jinja2.
Comment 6 Lumír Balhar 2025-01-10 07:03:18 UTC 
(In reply to fedepell from comment #5)
> This project is not affected as it does not bundle the source code of jinja2.

Are you sure you have commented on the correct bugzilla? This is the main bug shared between all the components that ship the vulnerable source code.
Comment 7 fedepell 2025-01-10 07:05:41 UTC 
Lumir: you are right, sorry for this :/ Bugzilla notifications are a bit of a mess (IMO at least ;)) . Sorry again! (my comment was intended for the jinja2-time module)
Comment 8 errata-xmlrpc 2025-01-15 14:52:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:0335 https://access.redhat.com/errata/RHSA-2025:0335
Comment 9 errata-xmlrpc 2025-01-15 15:36:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0338 https://access.redhat.com/errata/RHSA-2025:0338
Comment 10 errata-xmlrpc 2025-01-15 19:35:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:0341 https://access.redhat.com/errata/RHSA-2025:0341
Comment 11 errata-xmlrpc 2025-01-15 21:38:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:0345 https://access.redhat.com/errata/RHSA-2025:0345
Comment 12 errata-xmlrpc 2025-01-27 19:30:16 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2025:0721 https://access.redhat.com/errata/RHSA-2025:0721
Comment 13 errata-xmlrpc 2025-01-27 22:41:04 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:0722 https://access.redhat.com/errata/RHSA-2025:0722
Comment 14 errata-xmlrpc 2025-01-28 01:04:56 UTC 
This issue has been addressed in the following products:

  Ansible Automation Platform Execution Environments

Via RHSA-2025:0753 https://access.redhat.com/errata/RHSA-2025:0753
Comment 15 errata-xmlrpc 2025-01-28 04:56:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0656 https://access.redhat.com/errata/RHSA-2025:0656
Comment 16 errata-xmlrpc 2025-01-28 19:17:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:0777 https://access.redhat.com/errata/RHSA-2025:0777
Comment 17 errata-xmlrpc 2025-02-05 10:49:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Comment 18 errata-xmlrpc 2025-02-05 20:24:52 UTC 
This issue has been addressed in the following products:

  Ansible Automation Platform Execution Environments

Via RHSA-2025:1101 https://access.redhat.com/errata/RHSA-2025:1101
Comment 19 errata-xmlrpc 2025-02-06 01:11:25 UTC 
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.12
  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:0834 https://access.redhat.com/errata/RHSA-2025:0834
Comment 20 errata-xmlrpc 2025-02-06 15:43:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:0842 https://access.redhat.com/errata/RHSA-2025:0842
Comment 22 errata-xmlrpc 2025-02-10 06:12:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:0830 https://access.redhat.com/errata/RHSA-2025:0830
Comment 23 errata-xmlrpc 2025-02-12 00:13:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:1123 https://access.redhat.com/errata/RHSA-2025:1123
Comment 24 errata-xmlrpc 2025-02-12 04:02:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:1130 https://access.redhat.com/errata/RHSA-2025:1130
Comment 25 errata-xmlrpc 2025-02-13 02:40:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:1118 https://access.redhat.com/errata/RHSA-2025:1118
Comment 26 errata-xmlrpc 2025-02-25 19:36:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1861 https://access.redhat.com/errata/RHSA-2025:1861
Comment 27 errata-xmlrpc 2025-04-01 15:13:11 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2025:3491 https://access.redhat.com/errata/RHSA-2025:3491
Note You need to log in before you can comment on or make changes to this bug.