USN-7343-1: Jinja2 vulnerabilities
Ubuntu DesktopCanonical
Update from:USN-7343-1: Jinja2 vulnerabilities
11 March 2025
Several security issues were fixed in Jinja2.
Releases
Ubuntu 24.10 Ubuntu 24.04 LTS Ubuntu 22.04 LTS Ubuntu 20.04 LTS Ubuntu 18.04 ESM Ubuntu 16.04 ESM Ubuntu 14.04 ESM
Packages
jinja2 - small but fast and easy to use stand-alone template engine
Details
Rafal Krupinski discovered that Jinja2 did not properly restrict
the execution of code in situations where templates are used maliciously.
An attacker with control over a template’s filename and content could
potentially use this issue to enable the execution of arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2024-56201)
It was discovered that Jinja2 sandboxed environments could be escaped
through a call to a string format method. An attacker could possibly use
this issue to enable the execution of arbitrary code. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56326)
It was discovered that Jinja2 sandboxed environments could be escaped
through the malicious use of certain filters. An attacker could possibly
use this issue to enable the execution of arbitrary code. (CVE-2025-27516)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.10
- python3-jinja2 - 3.1.3-1ubuntu1.24.10.2
Ubuntu 24.04 - python3-jinja2 - 3.1.2-1ubuntu1.3
Ubuntu 22.04 - python3-jinja2 - 3.0.3-1ubuntu0.4
Ubuntu 20.04 - python-jinja2 - 2.10.1-2ubuntu0.5
- python3-jinja2 - 2.10.1-2ubuntu0.5
Ubuntu 18.04 - python-jinja2 - 2.10-1ubuntu0.18.04.1+esm4
- python3-jinja2 - 2.10-1ubuntu0.18.04.1+esm4
Ubuntu 16.04 - python-jinja2 - 2.8-1ubuntu0.1+esm5
- python3-jinja2 - 2.8-1ubuntu0.1+esm5
Ubuntu 14.04 - python-jinja2 - 2.7.2-2ubuntu0.1~esm6
- python3-jinja2 - 2.7.2-2ubuntu0.1~esm6
In general, a standard system update will make all the necessary changes.
