Vulnerabilities (CVE)

Filtered by vendor Pocoo Subscribe
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-42771 2 Debian, Pocoo 2 Debian Linux, Babel 2024-11-21 7.2 HIGH 7.8 HIGH
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVE-2019-8341 2 Opensuse, Pocoo 2 Leap, Jinja2 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
CVE-2014-1402 1 Pocoo 1 Jinja2 2024-11-21 4.4 MEDIUM N/A
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
CVE-2014-0012 1 Pocoo 1 Jinja2 2024-11-21 4.4 MEDIUM N/A
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.