Bug 2257854 (CVE-2024-22195)

Summary: CVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, amctagga, aoconnor, bbuckingham, bcourt, bdettelb, bniver, eglynn, ehelms, epacific, flucifre, gmeno, godas, gtanzill, hhorak, jason.frey, jcammara, jchui, jhardy, jjoyce, jneedle, jobarker, jorton, jschluet, jsherril, kshier, ktsao, lhh, lsvaty, lzap, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, nboldt, nmoumoul, orabin, pcreech, pgrist, python-maint, rbiba, rchan, rhos-maint, rtaniwa, shrjoshi, simaishi, smcdonal, sostapov, sskracic, stcannon, teagle, tfister, tkral, tvignaud, vereddy, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jinja2 3.1.3 Doc Type: ---
Doc Text:
A cross-site scripting (XSS) flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. This misuse of the xmlattr filter enables the injection of arbitrary HTML attributes, bypassing auto-escaping and potentially circumventing attribute validation checks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2257864, 2257865, 2257866, 2257867, 2257868, 2257869, 2257870, 2257871, 2257872, 2257873, 2257875, 2257877, 2257878, 2257879, 2257880, 2260519    
Bug Blocks: 2257882    

Description TEJ RATHI 2024-01-11 10:25:24 UTC 
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

https://github.com/pallets/jinja/releases/tag/3.1.3
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
Comment 1 TEJ RATHI 2024-01-11 11:39:48 UTC 
Upstream Commit: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)
Comment 2 TEJ RATHI 2024-01-11 11:41:34 UTC 
Created mingw-python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2257865]


Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2257864]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-all [bug 2257868]


Created python3.11-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2257867]


Created python39-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2257866]
Comment 13 errata-xmlrpc 2024-02-29 19:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
Comment 14 errata-xmlrpc 2024-03-05 18:08:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155
Comment 15 errata-xmlrpc 2024-03-27 13:19:07 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:1536 https://access.redhat.com/errata/RHSA-2024:1536
Comment 16 errata-xmlrpc 2024-04-02 19:30:21 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 17 errata-xmlrpc 2024-04-18 01:52:01 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Comment 18 errata-xmlrpc 2024-04-23 17:17:05 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
Comment 19 errata-xmlrpc 2024-04-30 09:35:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132
Comment 20 errata-xmlrpc 2024-04-30 10:04:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2348 https://access.redhat.com/errata/RHSA-2024:2348
Comment 21 errata-xmlrpc 2024-05-22 09:23:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2968 https://access.redhat.com/errata/RHSA-2024:2968
Comment 22 errata-xmlrpc 2024-05-22 09:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2987 https://access.redhat.com/errata/RHSA-2024:2987
Comment 23 errata-xmlrpc 2024-05-22 09:45:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3102 https://access.redhat.com/errata/RHSA-2024:3102
Comment 24 errata-xmlrpc 2024-05-22 20:35:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2733 https://access.redhat.com/errata/RHSA-2024:2733
Comment 25 errata-xmlrpc 2024-06-13 14:33:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2024:3927 https://access.redhat.com/errata/RHSA-2024:3927