chore(deps): update dependency jinja2 to v3.1.6 [security] #2518
Conversation
|
Hi @renovate[bot]. Thanks for your PR. I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
a80576a to
e5b0e9a
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
e5b0e9a to
69078af
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
69078af to
fbf15c5
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
fbf15c5 to
1c07cb4
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
1c07cb4 to
616379a
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
616379a to
4f64aa2
Compare
|
The image is available at: |
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
4f64aa2 to
c347a13
Compare
|
The image is available at: |
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/python-pypi-jinja2-vulnerability
branch
from
c347a13 to
0e6ef57
Compare
|
The image is available at: |
|
/ok-to-test |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kim-tsao The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
verified there are no errors when running |
|
/cherrypick release-1.5 |
|
@kim-tsao: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-bot
bot
deleted the
renovate/python-pypi-jinja2-vulnerability
branch
|
@kim-tsao: new pull request created: #2529 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@kim-tsao: new pull request created: #2530 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@kim-tsao: new pull request created: #2531 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…veloper#2518) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2 participants
This PR contains the following updates:
==3.1.5->==3.1.6GitHub Vulnerability Alerts
CVE-2025-27516
An oversight in how the Jinja sandboxed environment interacts with the
|attrfilter allows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to use the|attrfilter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the|attrfilter no longer bypasses the environment's attribute lookup.Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
CVE-2025-27516 / GHSA-cpwx-vrp4-4pq7
More information
Details
An oversight in how the Jinja sandboxed environment interacts with the
|attrfilter allows an attacker that controls the content of a template to execute arbitrary Python code.To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to
str.formatand ensures they don't escape the sandbox. However, it's possible to use the|attrfilter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the|attrfilter no longer bypasses the environment's attribute lookup.Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pallets/jinja (jinja2)
v3.1.6Compare Source
This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Jinja2/3.1.6/
Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6
|attrfilter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.