From e9f83150a65fc27513f0fa7c3d21b4ee1de32352 Mon Sep 17 00:00:00 2001
From: "pulumi-renovate[bot]"
<189166143+pulumi-renovate[bot]@users.noreply.github.com>
Date: Wed, 25 Dec 2024 00:18:01 +0000
Subject: [PATCH] Update dependency Jinja2 to v3.1.5 [SECURITY] (#1751)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [Jinja2](https://redirect.github.com/pallets/jinja)
([changelog](https://jinja.palletsprojects.com/changes/)) | patch |
`==3.1.4` -> `==3.1.5` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Jinja has a sandbox breakout through malicious filenames
[CVE-2024-56201](https://nvd.nist.gov/vuln/detail/CVE-2024-56201) /
[GHSA-gmj6-6f8f-6699](https://redirect.github.com/advisories/GHSA-gmj6-6f8f-6699)
More information
#### Details
A bug in the Jinja compiler allows an attacker that controls both the
content and filename of a template to execute arbitrary Python code,
regardless of if Jinja's sandbox is used.
To exploit the vulnerability, an attacker needs to control both the
filename and the contents of a template. Whether that is the case
depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates where
the template author can also choose the template filename.
#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-56201](https://nvd.nist.gov/vuln/detail/CVE-2024-56201)
-
[https://github.com/pallets/jinja/issues/1792](https://redirect.github.com/pallets/jinja/issues/1792)
-
[https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f](https://redirect.github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f)
-
[https://github.com/pallets/jinja](https://redirect.github.com/pallets/jinja)
-
[https://github.com/pallets/jinja/releases/tag/3.1.5](https://redirect.github.com/pallets/jinja/releases/tag/3.1.5)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-gmj6-6f8f-6699) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
---
### Jinja has a sandbox breakout through indirect reference to format
method
[CVE-2024-56326](https://nvd.nist.gov/vuln/detail/CVE-2024-56326) /
[GHSA-q2x7-8rv6-6q7h](https://redirect.github.com/advisories/GHSA-q2x7-8rv6-6q7h)
More information
#### Details
An oversight in how the Jinja sandboxed environment detects calls to
`str.format` allows an attacker that controls the content of a template
to execute arbitrary Python code.
To exploit the vulnerability, an attacker needs to control the content
of a template. Whether that is the case depends on the type of
application using Jinja. This vulnerability impacts users of
applications which execute untrusted templates.
Jinja's sandbox does catch calls to `str.format` and ensures they don't
escape the sandbox. However, it's possible to store a reference to a
malicious string's `format` method, then pass that to a filter that
calls it. No such filters are built-in to Jinja, but could be present
through custom filters in an application. After the fix, such indirect
calls are also handled by the sandbox.
#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-56326](https://nvd.nist.gov/vuln/detail/CVE-2024-56326)
-
[https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4](https://redirect.github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4)
-
[https://github.com/pallets/jinja](https://redirect.github.com/pallets/jinja)
-
[https://github.com/pallets/jinja/releases/tag/3.1.5](https://redirect.github.com/pallets/jinja/releases/tag/3.1.5)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-q2x7-8rv6-6q7h) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
---
### Release Notes
pallets/jinja (Jinja2)
###
[`v3.1.5`](https://redirect.github.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-315)
[Compare
Source](https://redirect.github.com/pallets/jinja/compare/3.1.4...3.1.5)
Released 2024-12-21
- The sandboxed environment handles indirect calls to `str.format`, such
as
by passing a stored reference to a filter that calls its argument.
:ghsa:`q2x7-8rv6-6q7h`
- Escape template name before formatting it into error messages, to
avoid
issues with names that contain f-string syntax.
:issue:`1792`, :ghsa:`gmj6-6f8f-6699`
- Sandbox does not allow `clear` and `pop` on known mutable sequence
types. :issue:`2032`
- Calling sync `render` for an async template uses `asyncio.run`.
:pr:`1952`
- Avoid unclosed `auto_aiter` warnings. :pr:`1960`
- Return an `aclose`-able `AsyncGenerator` from
`Template.generate_async`. :pr:`1960`
- Avoid leaving `root_render_func()` unclosed in
`Template.generate_async`. :pr:`1960`
- Avoid leaving async generators unclosed in blocks, includes and
extends.
:pr:`1960`
- The runtime uses the correct `concat` function for the current
environment
when calling block references. :issue:`1701`
- Make `|unique` async-aware, allowing it to be used after another
async-aware filter. :issue:`1781`
- `|int` filter handles `OverflowError` from scientific notation.
:issue:`1921`
- Make compiling deterministic for tuple unpacking in a `{% set ... %}`
call. :issue:`2021`
- Fix dunder protocol (`copy`/`pickle`/etc) interaction with `Undefined`
objects. :issue:`2025`
- Fix `copy`/`pickle` support for the internal `missing` object.
:issue:`2027`
- `Environment.overlay(enable_async)` is applied correctly. :pr:`2061`
- The error message from `FileSystemLoader` includes the paths that were
searched. :issue:`1661`
- `PackageLoader` shows a clearer error message when the package does
not
contain the templates directory. :issue:`1705`
- Improve annotations for methods returning copies. :pr:`1880`
- `urlize` does not add `mailto:` to values like `@a@b`. :pr:`1870`
- Tests decorated with `@pass_context`` can be used with the ``|select``
filter. :issue:`1624\`
- Using `set` for multiple assignment (`a, b = 1, 2`) does not fail when
the
target is a namespace attribute. :issue:`1413`
- Using `set` in all branches of `{% if %}{% elif %}{% else %}` blocks
does not cause the variable to be considered initially undefined.
:issue:`1253`
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekday"
(UTC).
🚦 **Automerge**: Enabled.
â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
---
.../application/src/backend/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/aws-ts-stackreference-architecture/application/src/backend/requirements.txt b/aws-ts-stackreference-architecture/application/src/backend/requirements.txt
index 117216296..6e721d3c0 100644
--- a/aws-ts-stackreference-architecture/application/src/backend/requirements.txt
+++ b/aws-ts-stackreference-architecture/application/src/backend/requirements.txt
@@ -2,7 +2,7 @@ Click==7.0
dnspython==2.6.1
Flask==2.2.5
itsdangerous==0.24
-Jinja2==3.1.4
+Jinja2==3.1.5
MarkupSafe>=1.0
Werkzeug==3.0.6
requests==2.32.2