Homepage

jinja2@3.1.5 vulnerabilities

A very fast and expressive template engine.

  • latest version

    3.1.6

  • latest non vulnerable version

    3.1.6

  • first published

    16 years ago

  • latest version published

    1 months ago

  • licenses detected

  • View jinja2 package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the jinja2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Template Injection

    Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

    Affected versions of this package are vulnerable to Template Injection through the |attr filter. An attacker that controls the content of a template can escape the sandbox and execute arbitrary Python code by using the |attr filter to get a reference to a string's plain format method, bypassing the environment's attribute lookup.

    Note:

    This is only exploitable if the application executes untrusted templates.

    How to fix Template Injection?

    Upgrade Jinja2 to version 3.1.6 or higher.

    [,3.1.6)
    Go back to all versions of this package