com.hubspot.jinjava:jinjava 2.0.11-java7

Direct Vulnerabilities

Known vulnerabilities in the com.hubspot.jinjava:jinjava package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Neutralization of Special Elements Used in a Template Engine com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content). Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the `ForTag` class, which fails to enforce proper restrictions when iterating over object properties and allows bypassing of sandbox mechanisms. An attacker can execute arbitrary Java code, instantiate unauthorized classes, and access sensitive files by crafting malicious templates that exploit property access and deserialization features. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade `com.hubspot.jinjava:jinjava` to version 2.7.6, 2.8.3 or higher.	[,2.7.6)[2.8.0,2.8.3)
C Improper Neutralization of Special Elements Used in a Template Engine com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content). Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine due to using `mapper.getTypeFactory().constructFromCanonical()` function. An attacker can instantiate arbitrary classes and potentially execute code by supplying crafted input to the deserialization process. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade `com.hubspot.jinjava:jinjava` to version 2.8.1 or higher.	[,2.8.1)
H Information Exposure com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content). Affected versions of this package are vulnerable to Information Exposure. It allows access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. How to fix Information Exposure? Upgrade `com.hubspot.jinjava:jinjava` to version 2.5.4 or higher.	[,2.5.4)
M Remote Code Execution (RCE) com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content). Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the `com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java` path. It was possible to call the `getClass()` method on any object. How to fix Remote Code Execution (RCE)? Upgrade `com.hubspot.jinjava:jinjava` to version 2.4.6 or higher.	[,2.4.6)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements Used in a Template Engine

com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the ForTag class, which fails to enforce proper restrictions when iterating over object properties and allows bypassing of sandbox mechanisms. An attacker can execute arbitrary Java code, instantiate unauthorized classes, and access sensitive files by crafting malicious templates that exploit property access and deserialization features.

How to fix Improper Neutralization of Special Elements Used in a Template Engine?

Upgrade com.hubspot.jinjava:jinjava to version 2.7.6, 2.8.3 or higher.

[,2.7.6)[2.8.0,2.8.3)

Improper Neutralization of Special Elements Used in a Template Engine

com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine due to using mapper.getTypeFactory().constructFromCanonical() function. An attacker can instantiate arbitrary classes and potentially execute code by supplying crafted input to the deserialization process.

How to fix Improper Neutralization of Special Elements Used in a Template Engine?

Upgrade com.hubspot.jinjava:jinjava to version 2.8.1 or higher.

[,2.8.1)

Information Exposure

com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).

Affected versions of this package are vulnerable to Information Exposure. It allows access to arbitrary classes by calling Java methods on objects passed into a Jinjava context.

How to fix Information Exposure?

Upgrade com.hubspot.jinjava:jinjava to version 2.5.4 or higher.

[,2.5.4)

Remote Code Execution (RCE)

com.hubspot.jinjava:jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java path. It was possible to call the getClass() method on any object.

How to fix Remote Code Execution (RCE)?

Upgrade com.hubspot.jinjava:jinjava to version 2.4.6 or higher.

[,2.4.6)

com.hubspot.jinjava:jinjava@2.0.11-java7

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically