Vulnerability Description
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Stackstorm | Stackstorm | < 3.6.0 |
References
- https://github.com/StackStorm/st2/pull/5359PatchThird Party Advisory
- https://github.com/pallets/jinja/issues/549ExploitIssue TrackingThird Party Advisory
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinjExploitThird Party Advisory
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/Release NotesVendor Advisory
- https://github.com/StackStorm/st2/pull/5359PatchThird Party Advisory
- https://github.com/pallets/jinja/issues/549ExploitIssue TrackingThird Party Advisory
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinjExploitThird Party Advisory
- https://stackstorm.com/2021/12/16/stackstorm-v3-6-0-released/Release NotesVendor Advisory
FAQ
What is CVE-2021-44657?
CVE-2021-44657 is a vulnerability with a CVSS score of 8.8 (HIGH). In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to bac...
How severe is CVE-2021-44657?
CVE-2021-44657 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-44657?
Check the references section above for vendor advisories and patch information. Affected products include: Stackstorm Stackstorm.