CVE-2016-10745: Jinja2 sandbox escape vulnerability
8.6
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76513%
CWE
Published
4/10/2019
Updated
9/24/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Jinja2 | pip | < 2.8.1 | 2.8.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key issues: (1) SandboxedEnvironment.call() failed to detect and properly handle str.format calls, allowing attackers to bypass sandbox restrictions via Python's string formatting mechanics. The commit adds format_string() and inspect_format_method() to intercept these calls. (2) Call.as_const() did not account for sandboxed environments when evaluating expressions, permitting unsafe constant evaluation. The patch adds 'environment.sandboxed' to the volatility check. The test cases explicitly validate that {0.class} format attempts are neutralized, confirming these functions were the attack vectors.