mend-bolt-for-github[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2019-8341 - High Severity Vulnerability
A small but fast and easy to use stand-alone template engine written in pure python.
Library home page: https://files.pythonhosted.org/packages/7f/ff/ae64bacdfc95f27a016a7bed8e8686763ba4d277a78ca76f32659220a731/Jinja2-2.10-py2.py3-none-any.whl
Path to dependency file: /worksheet_generator/requirements.txt
Path to vulnerable library: teSource-ArchiveExtractor_64fac68f-b3b0-41bc-b76d-bdbf6191ef6f/20190601182824_53285/20190601182813_depth_0/8/Jinja2-2.10-py2.py3-none-any/jinja2
Dependency Hierarchy: - :x: **Jinja2-2.10-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 2e0e106baf0ccaaf79d1e1e484035b7bb9cf7190
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.
Publish Date: 2019-02-15
URL: CVE-2019-8341
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with WhiteSource here