{"schema_version":"1.7.2","id":"OESA-2025-1530","modified":"2025-05-16T13:25:18Z","published":"2025-05-16T13:25:18Z","upstream":["CVE-2025-27516"],"summary":"python-jinja2 security update","details":"Jinja2 is one of the most used template engines for Python. It is inspired by Django\u0026amp;apos;s templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important.\r\n\r\nSecurity Fix(es):\n\nJinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja\u0026apos;s sandbox does catch calls to str.format and ensures they don\u0026apos;t escape the sandbox. However, it\u0026apos;s possible to use the |attr filter to get a reference to a string\u0026apos;s plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment\u0026apos;s attribute lookup. This vulnerability is fixed in 3.1.6.(CVE-2025-27516)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"python-jinja2","purl":"pkg:rpm/openEuler/python-jinja2\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.3-7.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["python-jinja2-help-3.0.3-7.oe2203sp4.noarch.rpm","python3-jinja2-3.0.3-7.oe2203sp4.noarch.rpm"],"src":["python-jinja2-3.0.3-7.oe2203sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1530"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27516"}],"database_specific":{"severity":"High"}}