CVE-2024-28114: Python Jinja2 Unsafe Environment
Using `jinja2.Environment` without restrictions to render dynamically provided templates allows for Server-Side Template Injection (SSTI). An attacker can execute arbitrary OS commands by abusing the unrestrained environment. Keep data and templates separate or switch to `jinja2.sandbox.SandboxedEnvironment` if dynamic template inputs are strictly required.
greprules fetch cve-2024-28114-python-jinja2-unsafe-environment --engine opengrepDescription
Using `jinja2.Environment` without restrictions to render dynamically provided templates allows for Server-Side Template Injection (SSTI). An attacker can execute arbitrary OS commands by abusing the unrestrained environment. Keep data and templates separate or switch to `jinja2.sandbox.SandboxedEnvironment` if dynamic template inputs are strictly required.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.