CVE-2019-10906

NameCVE-2019-10906
DescriptionIn Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs926602

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jinja2 (PTS)jessie2.7.3-1vulnerable
stretch2.8-1vulnerable
buster2.10-2fixed
bullseye, sid2.10.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jinja2source(unstable)2.10-2926602

Notes

[stretch] - jinja2 <no-dsa> (Minor issue)
[jessie] - jinja2 <no-dsa> (Minor issue)
https://palletsprojects.com/blog/jinja-2-10-1-released/
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26

Search for package or bug name: Reporting problems