CVE-2024-56201

Publication date 23 December 2024

Last updated 15 January 2025

Ubuntu priority

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
jinja2	24.10 oracular	Vulnerable
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-56201
https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
https://github.com/pallets/jinja/issues/1792
https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
https://github.com/pallets/jinja/releases/tag/3.1.5