diff --git a/audits/aider-requirements.audit.json b/audits/aider-requirements.audit.json index 14e14ae0..8873e2bf 100644 --- a/audits/aider-requirements.audit.json +++ b/audits/aider-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/ansible-lint-requirements.audit.json b/audits/ansible-lint-requirements.audit.json index fddff3a7..6eeb8fe2 100644 --- a/audits/ansible-lint-requirements.audit.json +++ b/audits/ansible-lint-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index 8e148f38..d552877f 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/charmcraft-requirements.audit.json b/audits/charmcraft-requirements.audit.json index 60b937f2..d07e8abc 100644 --- a/audits/charmcraft-requirements.audit.json +++ b/audits/charmcraft-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index c1a8dc21..167af972 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -279,6 +279,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -700,6 +705,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/gi-docgen-requirements.audit.json b/audits/gi-docgen-requirements.audit.json index af6ac0e4..61e668ef 100644 --- a/audits/gi-docgen-requirements.audit.json +++ b/audits/gi-docgen-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/harlequin-requirements.audit.json b/audits/harlequin-requirements.audit.json index 6f00748c..b5ddf871 100644 --- a/audits/harlequin-requirements.audit.json +++ b/audits/harlequin-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/icloudpd-requirements.audit.json b/audits/icloudpd-requirements.audit.json index 579e95fb..7f35261c 100644 --- a/audits/icloudpd-requirements.audit.json +++ b/audits/icloudpd-requirements.audit.json @@ -392,6 +392,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -522,6 +527,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/libplacebo-requirements.audit.json b/audits/libplacebo-requirements.audit.json index 949aac0e..5d72d5f8 100644 --- a/audits/libplacebo-requirements.audit.json +++ b/audits/libplacebo-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json index a738e3d8..bf186c2a 100644 --- a/audits/litani-requirements.audit.json +++ b/audits/litani-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json index cdc960c9..8abd521e 100644 --- a/audits/mentat-requirements.audit.json +++ b/audits/mentat-requirements.audit.json @@ -383,6 +383,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -804,6 +809,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/organize-tool-requirements.audit.json b/audits/organize-tool-requirements.audit.json index 6fa32bfa..d149200f 100644 --- a/audits/organize-tool-requirements.audit.json +++ b/audits/organize-tool-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/pytorch-requirements.audit.json b/audits/pytorch-requirements.audit.json index 5477c82e..9b2e7d50 100644 --- a/audits/pytorch-requirements.audit.json +++ b/audits/pytorch-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index 8f098480..bc4806ac 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/sail-requirements.audit.json b/audits/sail-requirements.audit.json index 417a1f1c..8c4abe83 100644 --- a/audits/sail-requirements.audit.json +++ b/audits/sail-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/snapcraft-requirements.audit.json b/audits/snapcraft-requirements.audit.json index bab1d574..9aedf936 100644 --- a/audits/snapcraft-requirements.audit.json +++ b/audits/snapcraft-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/audits/vunnel-requirements.audit.json b/audits/vunnel-requirements.audit.json index e5e33bee..dc24e1cf 100644 --- a/audits/vunnel-requirements.audit.json +++ b/audits/vunnel-requirements.audit.json @@ -17,6 +17,11 @@ "aliases": [ "CVE-2024-56201" ], + "related": [ + "CGA-gvvw-7w3r-7m54", + "CGA-mvqg-6j62-4pjm", + "CGA-whf8-42p9-686q" + ], "summary": "Jinja has a sandbox breakout through malicious filenames", "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", "affected": [ @@ -147,6 +152,11 @@ "aliases": [ "CVE-2024-56326" ], + "related": [ + "CGA-79fr-pvjg-j9xm", + "CGA-crfr-r549-cvmg", + "CGA-gm37-p355-3fq6" + ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", "affected": [ diff --git a/requirements/cruft-requirements.txt b/requirements/cruft-requirements.txt index f730da7e..e44df295 100644 --- a/requirements/cruft-requirements.txt +++ b/requirements/cruft-requirements.txt @@ -1,7 +1,7 @@ arrow==1.3.0 binaryornot==0.4.4 chardet==5.2.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 click==8.1.8 cookiecutter==2.6.0 gitdb==4.0.11 diff --git a/requirements/grayskull-requirements.txt b/requirements/grayskull-requirements.txt index 320d4b1b..45edc6fb 100644 --- a/requirements/grayskull-requirements.txt +++ b/requirements/grayskull-requirements.txt @@ -1,5 +1,5 @@ beautifulsoup4==4.12.3 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 colorama==0.4.6 conda-souschef==2.2.3 idna==3.10 @@ -11,7 +11,6 @@ rapidfuzz==3.11.0 requests==2.32.3 ruamel-yaml==0.18.6 ruamel-yaml-jinja2==0.2.7 -semver==3.0.2 setuptools==75.6.0 soupsieve==2.6 stdlib-list==0.11.0 diff --git a/requirements/parsedmarc-requirements.txt b/requirements/parsedmarc-requirements.txt index 5df9cf0c..fbc188c4 100644 --- a/requirements/parsedmarc-requirements.txt +++ b/requirements/parsedmarc-requirements.txt @@ -1,14 +1,14 @@ aiohappyeyeballs==2.4.4 -aiohttp==3.11.9 -aiosignal==1.3.1 -attrs==24.2.0 +aiohttp==3.11.11 +aiosignal==1.3.2 +attrs==24.3.0 azure-core==1.32.0 azure-identity==1.19.0 azure-monitor-ingestion==1.0.4 -boto3==1.35.74 -botocore==1.35.74 +boto3==1.35.87 +botocore==1.35.87 cachetools==5.5.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 dateparser==1.2.0 dnspython==2.7.0 elasticsearch==7.13.4 @@ -17,9 +17,9 @@ events==any.whl expiringdict==1.2.2 frozenlist==1.5.0 geoip2==4.8.1 -google-api-core==2.23.0 -google-api-python-client==2.154.0 -google-auth==2.36.0 +google-api-core==2.24.0 +google-api-python-client==2.156.0 +google-auth==2.37.0 google-auth-httplib2==0.2.0 google-auth-oauthlib==1.2.1 googleapis-common-protos==1.66.0 @@ -43,9 +43,9 @@ opensearch-py==2.8.0 portalocker==2.10.1 propcache==0.2.1 proto-plus==1.25.0 -protobuf==5.29.0 +protobuf==5.29.2 publicsuffix2==2.20191221 -publicsuffixlist==1.0.2.20241203 +publicsuffixlist==1.0.2.20241225 pyasn1==0.6.1 pyasn1-modules==0.4.1 pygelf==0.4.2 @@ -59,7 +59,7 @@ requests-oauthlib==2.0.0 rsa==4.9 s3transfer==0.10.4 simplejson==3.19.3 -six==1.16.0 +six==1.17.0 tqdm==4.67.1 typing-extensions==4.12.2 tzlocal==5.2