Bug 2279476 (CVE-2024-34064)

Summary: CVE-2024-34064 jinja2: accepts keys containing non-attribute characters
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, abarbaro, adudiak, amctagga, anthomas, aoconnor, aprice, bbuckingham, bcourt, bdettelb, bniver, brking, caswilli, cdaley, crizzo, davidn, dfreiber, doconnor, dranck, drow, eglynn, ehelms, epacific, fjansen, flucifre, ggainey, gmeno, godas, gtanzill, haoli, hhorak, hkataria, jajackso, jason.frey, jburrell, jcammara, jchui, jdobes, jhardy, jhe, jjoyce, jmitchel, jneedle, jobarker, jorton, jsamir, jschluet, jsherril, jtanner, juwatts, jwong, kaycoth, kegrant, kholdawa, koliveir, kshier, ktsao, kyoshida, lcouzens, lhh, lsvaty, lzap, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, mpierce, mskarbek, nboldt, nmoumoul, oezr, omaciel, orabin, osousa, pbraun, pcreech, pgrist, psegedy, psrna, python-maint, rbiba, rbobbitt, rchan, rhos-maint, rtaniwa, shrjoshi, shvarugh, sidakwo, simaishi, smallamp, smcdonal, sostapov, sskracic, stcannon, sthirugn, teagle, tfister, thavo, tkral, tvignaud, vereddy, vkrizan, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jinja2 3.1.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jinja2. The `xmlattr` filter accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could inject other attributes and perform cross-site scripting (XSS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2279487, 2279489, 2292741, 2349920, 2279477, 2279478, 2279479, 2279480, 2279481, 2279482, 2279483, 2279484, 2279485, 2279486, 2279488, 2279490, 2279491    
Bug Blocks: 2279475    

Description Rohit Keshri 2024-05-07 06:30:20 UTC 
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
Comment 1 Rohit Keshri 2024-05-07 06:36:32 UTC 
Created mingw-python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2279486]


Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2279491]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-all [bug 2279489]


Created python3.11-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2279487]


Created python39-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2279488]
Comment 8 errata-xmlrpc 2024-06-10 18:37:56 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 9 errata-xmlrpc 2024-06-11 13:08:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:3795 https://access.redhat.com/errata/RHSA-2024:3795
Comment 10 errata-xmlrpc 2024-06-11 17:29:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3811 https://access.redhat.com/errata/RHSA-2024:3811
Comment 11 errata-xmlrpc 2024-06-11 19:40:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3820 https://access.redhat.com/errata/RHSA-2024:3820
Comment 12 errata-xmlrpc 2024-07-02 15:21:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4231 https://access.redhat.com/errata/RHSA-2024:4231
Comment 13 errata-xmlrpc 2024-07-09 08:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4404 https://access.redhat.com/errata/RHSA-2024:4404
Comment 14 errata-xmlrpc 2024-07-09 09:20:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4414 https://access.redhat.com/errata/RHSA-2024:4414
Comment 15 errata-xmlrpc 2024-07-09 12:51:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4427 https://access.redhat.com/errata/RHSA-2024:4427
Comment 16 errata-xmlrpc 2024-07-12 01:40:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:4522 https://access.redhat.com/errata/RHSA-2024:4522
Comment 17 errata-xmlrpc 2024-07-24 19:09:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4616 https://access.redhat.com/errata/RHSA-2024:4616
Comment 19 errata-xmlrpc 2024-08-07 02:04:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4958 https://access.redhat.com/errata/RHSA-2024:4958
Comment 20 errata-xmlrpc 2024-08-20 20:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:5662 https://access.redhat.com/errata/RHSA-2024:5662
Comment 21 errata-xmlrpc 2024-08-22 11:41:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 24 errata-xmlrpc 2024-09-04 08:13:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6011 https://access.redhat.com/errata/RHSA-2024:6011
Comment 26 errata-xmlrpc 2024-11-12 08:59:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9150 https://access.redhat.com/errata/RHSA-2024:9150
Comment 27 errata-xmlrpc 2025-02-12 00:09:18 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335