CVE-2024-56201

MEDIUM EPSS 21.7%
Published Dec 23, 20241y ago · Modified Jun 17, 20261w ago
5.4 CVSS 4.0
Medium
Find Similar
Published Dec 23, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

CVSS Details

Base Score
5.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
21.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-150

Affected Products 1

VendorProductVersionRange
palletsprojectsjinja*≥3.0.0  –  <3.1.5

References 4

  • github.com https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
    Patch
  • github.com https://github.com/pallets/jinja/issues/1792
    Issue Tracking
  • github.com https://github.com/pallets/jinja/releases/tag/3.1.5
    Release Notes
  • github.com https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
    Vendor Advisory

Remediation

  • github.com https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
    Patch