MidnightBSD

Advisories for pocoo

CVE-2014-0012 MEDIUM

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
pocoo jinja2 2.7.2
CVE-2014-1402 MEDIUM

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
pocoo jinja2 2.5.4
pocoo jinja2 2.7
pocoo jinja2 2.1.1
pocoo jinja2 2.5.2
pocoo jinja2 2.5.3
pocoo jinja2 2.5.1
pocoo jinja2 2.4.1
pocoo jinja2 2.4
pocoo jinja2 2.2
pocoo jinja2 2.3.1
pocoo jinja2 2.0
pocoo jinja2 *
pocoo jinja2 2.1
pocoo jinja2 2.5.5
pocoo jinja2 2.3
pocoo jinja2 2.2.1
pocoo jinja2 2.6
pocoo jinja2 2.5
CVE-2019-8341 HIGH

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
opensuse leap 15.0
opensuse leap 42.3
pocoo jinja2 2.10
CVE-2021-42771 HIGH

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
pocoo babel *
debian debian_linux 10.0