CVE-2024-56201
Publication date 23 December 2024
Last updated 30 January 2025
Ubuntu priority
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| jinja2 | 24.10 oracular |
Fixed 3.1.3-1ubuntu1.24.10.1
|
| 24.04 LTS noble |
Fixed 3.1.2-1ubuntu1.2
|
|
| 22.04 LTS jammy |
Fixed 3.0.3-1ubuntu0.3
|
|
| 20.04 LTS focal |
Fixed 2.10.1-2ubuntu0.4
|
|
| 18.04 LTS bionic |
Fixed 2.10-1ubuntu0.18.04.1+esm3
|
|
| 16.04 LTS xenial |
Vulnerable
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProReferences
Related Ubuntu Security Notices (USN)
- USN-7244-1
- Jinja2 vulnerabilities
- 30 January 2025