-
[Security] Update to Jinja2 and related packages
StableAll checks were successfulRelease / build (push) Successful in 37sRelease / publish_head (push) Successful in 34sDatadog Secrets Scanning / Datadog Static Analyzer (push) Successful in 10sDatadog Software Composition Analysis / Datadog SBOM Generation and Upload (push) Successful in 15sDatadog Static Analysis / Datadog Static Analyzer (push) Successful in 20sRelease / publish_head (release) Has been skippedRelease / build (release) Successful in 36sdubey released this
2025-03-16 13:13:12 -04:00 | 1 commits to main since this releaseUpdate Jinja2 to resolve GHSA-cpwx-vrp4-4pq7
TLDR:
An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup.Docker images are available at:
git.dws.rip/dubey/foldsite:1.0.1@sha256:8b71c245f5ad1f8d590b8836617b24af01637aa3df5e85858d1e9bf67373252a git.dws.rip/dubey/foldsite:1.0@sha256:8b71c245f5ad1f8d590b8836617b24af01637aa3df5e85858d1e9bf67373252a git.dws.rip/dubey/foldsite:sha-744693a5f153e551f9c3629d2fa12b890a268e0d@sha256:8b71c245f5ad1f8d590b8836617b24af01637aa3df5e85858d1e9bf67373252a git.dws.rip/dubey/foldsite:latest@sha256:8b71c245f5ad1f8d590b8836617b24af01637aa3df5e85858d1e9bf67373252aDownloads