VU#244846: Server-Side Template Injection (SSTI) vulnerability exist in Genshi
The Genshi template engine suffers from a Server-Side Template Injection (SSTI) vulnerability. The vulnerability stems from unsafe evaluation of template expressions using Python's eval() and exec() functions. Genshi allows fallback access to Python's built-in objects during expression evaluation. An attacker can leverage this behavior to execute arbitrary code on the server. The attacker gains control by influencing or injecting malicious template expressions. This control can lead to remote code execution (RCE) with the application's privileges. The impact includes operating system commands, data access, and server compromise. The provided document offers mitigation strategies such as preventing untrusted input and sandboxing templates. Currently, no official patch from Genshi exists to address the vulnerability. The report acknowledges Jangwoo Choe and Michael Bragg for their contributions.
eval()andexec()functions. Genshi allows fallback access to Python's built-in objects during expression evaluation. An attacker can leverage this behavior to execute arbitrary code on the server. The attacker gains control by influencing or injecting malicious template expressions. This control can lead to remote code execution (RCE) with the application's privileges. The impact includes operating system commands, data access, and server compromise. The provided document offers mitigation strategies such as preventing untrusted input and sandboxing templates. Currently, no official patch from Genshi exists to address the vulnerability. The report acknowledges Jangwoo Choe and Michael Bragg for their contributions.