CVE-2024-7093

CRITICAL

Netflix Dispatch < v20240731 - Remote Code Execution via Jinja Template Injection

Title source: llm

Description

Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out.

References (1)

Core 1

Core References

Various Sources

https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md

View Writeup ZIP pw:eip

Scores

CVSS v4 9.4

EPSS 0.0051

EPSS Percentile 39.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

Netflix/Dispatch < v20240731

Published Aug 01, 2024

Tracked Since Feb 18, 2026