Vulnerability Details CVE-2021-44657
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 84.9%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
- https://github.com/StackStorm/st2/pull/5359
- https://github.com/pallets/jinja/issues/549
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/
- https://github.com/StackStorm/st2/pull/5359
- https://github.com/pallets/jinja/issues/549
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/
Products affected by CVE-2021-44657
-
cpe:2.3:a:stackstorm:stackstorm:0.11.0
-
cpe:2.3:a:stackstorm:stackstorm:0.11.1
-
cpe:2.3:a:stackstorm:stackstorm:0.11.2
-
cpe:2.3:a:stackstorm:stackstorm:0.11.3
-
cpe:2.3:a:stackstorm:stackstorm:0.11.4
-
cpe:2.3:a:stackstorm:stackstorm:0.11.5
-
cpe:2.3:a:stackstorm:stackstorm:0.11.6
-
cpe:2.3:a:stackstorm:stackstorm:0.12.0
-
cpe:2.3:a:stackstorm:stackstorm:0.12.1
-
cpe:2.3:a:stackstorm:stackstorm:0.12.2
-
cpe:2.3:a:stackstorm:stackstorm:0.12.3
-
cpe:2.3:a:stackstorm:stackstorm:0.13.0
-
cpe:2.3:a:stackstorm:stackstorm:0.13.1
-
cpe:2.3:a:stackstorm:stackstorm:0.13.2
-
cpe:2.3:a:stackstorm:stackstorm:0.5.1
-
cpe:2.3:a:stackstorm:stackstorm:0.6.0
-
cpe:2.3:a:stackstorm:stackstorm:0.7
-
cpe:2.3:a:stackstorm:stackstorm:0.8.0
-
cpe:2.3:a:stackstorm:stackstorm:0.8.1
-
cpe:2.3:a:stackstorm:stackstorm:0.8.2
-
cpe:2.3:a:stackstorm:stackstorm:0.8.3
-
cpe:2.3:a:stackstorm:stackstorm:0.9.0
-
cpe:2.3:a:stackstorm:stackstorm:0.9.1
-
cpe:2.3:a:stackstorm:stackstorm:0.9.2
-
cpe:2.3:a:stackstorm:stackstorm:1.1.0
-
cpe:2.3:a:stackstorm:stackstorm:1.1.1
-
cpe:2.3:a:stackstorm:stackstorm:1.2.0
-
cpe:2.3:a:stackstorm:stackstorm:1.3.0
-
cpe:2.3:a:stackstorm:stackstorm:1.3.1
-
cpe:2.3:a:stackstorm:stackstorm:1.3.2
-
cpe:2.3:a:stackstorm:stackstorm:1.4.0
-
cpe:2.3:a:stackstorm:stackstorm:1.5.0
-
cpe:2.3:a:stackstorm:stackstorm:1.5.1
-
cpe:2.3:a:stackstorm:stackstorm:1.6.0
-
cpe:2.3:a:stackstorm:stackstorm:2.0.0
-
cpe:2.3:a:stackstorm:stackstorm:2.0.1
-
cpe:2.3:a:stackstorm:stackstorm:2.1.0
-
cpe:2.3:a:stackstorm:stackstorm:2.1.1
-
cpe:2.3:a:stackstorm:stackstorm:2.10.0
-
cpe:2.3:a:stackstorm:stackstorm:2.10.1
-
cpe:2.3:a:stackstorm:stackstorm:2.10.2
-
cpe:2.3:a:stackstorm:stackstorm:2.10.3
-
cpe:2.3:a:stackstorm:stackstorm:2.10.4
-
cpe:2.3:a:stackstorm:stackstorm:2.2.0
-
cpe:2.3:a:stackstorm:stackstorm:2.2.1
-
cpe:2.3:a:stackstorm:stackstorm:2.3.0
-
cpe:2.3:a:stackstorm:stackstorm:2.3.1
-
cpe:2.3:a:stackstorm:stackstorm:2.3.2
-
cpe:2.3:a:stackstorm:stackstorm:2.4.0
-
cpe:2.3:a:stackstorm:stackstorm:2.4.1
-
cpe:2.3:a:stackstorm:stackstorm:2.5.0
-
cpe:2.3:a:stackstorm:stackstorm:2.5.1
-
cpe:2.3:a:stackstorm:stackstorm:2.6.0
-
cpe:2.3:a:stackstorm:stackstorm:2.7.0
-
cpe:2.3:a:stackstorm:stackstorm:2.7.1
-
cpe:2.3:a:stackstorm:stackstorm:2.7.2
-
cpe:2.3:a:stackstorm:stackstorm:2.8.0
-
cpe:2.3:a:stackstorm:stackstorm:2.8.1
-
cpe:2.3:a:stackstorm:stackstorm:2.9.0
-
cpe:2.3:a:stackstorm:stackstorm:2.9.1
-
cpe:2.3:a:stackstorm:stackstorm:2.9.2
-
cpe:2.3:a:stackstorm:stackstorm:2.9.3
-
cpe:2.3:a:stackstorm:stackstorm:3.0.0
-
cpe:2.3:a:stackstorm:stackstorm:3.0.1
-
cpe:2.3:a:stackstorm:stackstorm:3.1.0
-
cpe:2.3:a:stackstorm:stackstorm:3.2.0
-
cpe:2.3:a:stackstorm:stackstorm:3.3.0
-
cpe:2.3:a:stackstorm:stackstorm:3.4.0
-
cpe:2.3:a:stackstorm:stackstorm:3.4.1
-
cpe:2.3:a:stackstorm:stackstorm:3.5.0