CVE-2016-10745 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 77%

Affected Products (NVD)

Vendor	Product	Version
palletsprojects	jinja	𝑥 < 2.8.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jinja2

bookworm	3.1.2-1 fixed
bullseye	2.11.3-1 fixed
jessie	no-dsa
sid	3.1.3-1 fixed
stretch	no-dsa
trixie	3.1.3-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

jinja2

bionic	not-affected
cosmic	not-affected
disco	not-affected
trusty	Fixed 2.7.2-2ubuntu0.1~esm1 released
xenial	Fixed 2.8-1ubuntu0.1 released

openSUSE / SLES Releases

openSUSE Product

Release

python2-Jinja2

suse enterprise desktop 15	2.10.1-3.5.1 fixed
suse enterprise sap 15	2.10.1-3.5.1 fixed
suse enterprise server 15	2.10.1-3.5.1 fixed

python3-Jinja2

suse enterprise desktop 15	2.10.1-3.5.1 fixed
suse enterprise sap 15	2.10.1-3.5.1 fixed
suse enterprise server 15	2.10.1-3.5.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

python-jinja2

RHEL 7

0:2.7.2-3.el7_6

fixed

Common Weakness Enumeration

CWE-134 - Use of Externally-Controlled Format String
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

https://access.redhat.com/errata/RHSA-2019:1022

https://access.redhat.com/errata/RHSA-2019:1237

https://access.redhat.com/errata/RHSA-2019:1260

https://access.redhat.com/errata/RHSA-2019:3964

https://access.redhat.com/errata/RHSA-2019:4062

https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16

https://palletsprojects.com/blog/jinja-281-released/

https://usn.ubuntu.com/4011-1/

https://usn.ubuntu.com/4011-2/