CVE-2016-10745
HIGH8.6EPSS 1.0%Jinja2 sandbox escape vulnerability
Published: 4/10/2019Modified: 4/28/2026
Also known as:DEBIAN-CVE-2016-10745
Description
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
Affected packages (3)
- Debian/jinja2from 0, < 2.9.4-1
- PyPI/jinja2from 0, < 2.8.1
- PyPI/jinja2from 0, < 9b53045c34e61013dc8f09b7e52a555fa16bed16 | from 0, < 2.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
References (19)
- ADVISORYhttps://github.com/advisories/GHSA-hj2j-77xm-mc5v
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10745
- ADVISORYhttps://palletsprojects.com/blog/jinja-281-released/
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-10745
- PATCHhttps://github.com/pallets/jinja
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html
- WEBhttps://access.redhat.com/errata/RHSA-2019:1022
- WEBhttps://access.redhat.com/errata/RHSA-2019:1237
- WEBhttps://access.redhat.com/errata/RHSA-2019:1260
- WEBhttps://access.redhat.com/errata/RHSA-2019:3964
- WEBhttps://access.redhat.com/errata/RHSA-2019:4062
- WEBhttps://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2019-220.yaml
- WEBhttps://palletsprojects.com/blog/jinja-281-released
- WEBhttps://usn.ubuntu.com/4011-1
- WEBhttps://usn.ubuntu.com/4011-1/
- WEBhttps://usn.ubuntu.com/4011-2
- WEBhttps://usn.ubuntu.com/4011-2/