search

flexion / devops-deployment-metrics

Generate DevOps deployment metrics from GitHub repositories using a GitHub Action workflow to deploy a product
MIT License
4 stars 1 forks source link

Resolve Jinja2 security vulnerability CVE-2019-8341 #486

Closed tomwillis608 closed 1 month ago

tomwillis608 commented 1 month ago

Using open-source vulnerability database Found and scanned 103 packages Timestamp 2024-06-07 21:36:11 1 vulnerability reported 0 vulnerabilities ignored

+==============================================================================+ VULNERABILITIES REPORTED +==============================================================================+

-> Vulnerability found in jinja2 version 3.1.4 Vulnerability ID: 70612 Affected spec: >=0 ADVISORY: In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing. CVE-2019-8341 For more information about this vulnerability, visit https://data.safetycli.com/v/70[61](https://github.com/flexion/devops-deployment-metrics/actions/runs/9423411378/job/25961726941#step:11:62)2/97c To ignore this vulnerability, use PyUp vulnerability id 70612 in safety’s ignore command-line argument or add the ignore to your safety policy file.

tomwillis608 commented 1 month ago

See also #491