CVE-2021-44657
N/A
N/A
Summary
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/StackStorm/st2/pull/5359
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
- https://github.com/pallets/jinja/issues/549
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/
References
- https://github.com/StackStorm/st2/pull/5359
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
- https://github.com/pallets/jinja/issues/549
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.