CVE-2019-10906

high-risk

Published 2019-04-07

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Do I need to act?

3.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.6/10 High

NETWORK / LOW complexity

Jinja

Fedora

Ubuntu Linux

Software Collections

Leap

Redhat Canonical Fedoraproject Opensuse Palletsprojects

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1152

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1237

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1329

Release Notes https://palletsprojects.com/blog/jinja-2-10-1-released

Third Party Advisory https://usn.ubuntu.com/4011-1/

Third Party Advisory https://usn.ubuntu.com/4011-2/

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

and 18 more references

/ 100

high-risk

Severity 29/34 · Critical

Exploitability 7/34 · Low

Exposure 17/34 · Moderate