Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Med] Snyk: Sandbox Escape (due 6/10/19) #2822

Closed
Tracked by #137
, #113
...
rjayasekera opened this issue Apr 11, 2019 · 0 comments · Fixed by #2919
Closed
Tracked by #137
, #113
...

[Med] Snyk: Sandbox Escape (due 6/10/19) #2822

rjayasekera opened this issue Apr 11, 2019 · 0 comments · Fixed by #2919
Assignees
@rfultz
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 9.1

Comments

@rjayasekera
Copy link
Contributor

https://app.snyk.io/vuln/SNYK-PYTHON-JINJA2-174126

Overview
jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Sandbox Escape via the str.format_map.

Detailed paths
Introduced through: [email protected][email protected][email protected]
Introduced through: [email protected][email protected]

Remediation
Upgrade jinja2 to version 2.10.1 or higher.
@rjayasekera rjayasekera added this to the Sprint 8.6 milestone Apr 11, 2019
@rjayasekera rjayasekera mentioned this issue Apr 11, 2019
Closed
@pkfec pkfec changed the title Sandbox Escape -- MEDIUM SEVERITY (from check logs [MEDIUM] Sandbox Escape fix by 20190610 Apr 11, 2019
@pkfec pkfec modified the milestones: Sprint 8.6, Sprint 8.7 Apr 11, 2019
@fecjjeng fecjjeng mentioned this issue Apr 17, 2019
Closed
@jason-upchurch jason-upchurch mentioned this issue Apr 24, 2019
Closed
@hcaofec hcaofec mentioned this issue May 1, 2019
Closed
@fec-jli fec-jli mentioned this issue May 8, 2019
Closed
@jason-upchurch jason-upchurch added the Security: moderate Remediate within 60 days label May 16, 2019
@jason-upchurch jason-upchurch modified the milestones: Sprint 8.7, Sprint 9.1 May 16, 2019
@jason-upchurch jason-upchurch changed the title [MEDIUM] Sandbox Escape fix by 20190610 [Med] Snyk: Sandbox Escape (due 6/10/19) May 16, 2019
@jason-upchurch jason-upchurch mentioned this issue May 16, 2019
Closed
This was referenced May 23, 2019
Closed
Closed
@rfultz rfultz mentioned this issue May 29, 2019
Merged
lbeaufort added a commit that referenced this issue May 31, 2019
@lbeaufort
Merge pull request #2919 from fecgov/feature/2822-snyk-upgrade-jinja
52ef7fb 
#2822 - Update requirements.txt to Jinja2==2.10.1 from 2.9.6
This was referenced Feb 29, 2024
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 9.1
Development

Successfully merging a pull request may close this issue.

#2822 - Update requirements.txt to Jinja2==2.10.1 from 2.9.6 fecgov/fec-cms
4 participants
@pkfec @rjayasekera @rfultz @jason-upchurch