Bug 2257854 (CVE-2024-22195) - CVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
Summary: CVE-2024-22195 jinja2: HTML attribute injection when passing user input as ke...
Keywords:
Status: NEW
Alias: CVE-2024-22195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2257869 2257870 2257872 2257864 2257865 2257866 2257867 2257868 2257871 2257873 2257875 2257877 2257878 2257879 2257880 2260519
Blocks: 2257882
TreeView+ depends on / blocked
 
Reported: 2024-01-11 10:25 UTC by TEJ RATHI
Modified: 2024-06-13 14:33 UTC (History)
61 users (show)

Fixed In Version: jinja2 3.1.3
Doc Type: ---
Doc Text:
A cross-site scripting (XSS) flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. This misuse of the xmlattr filter enables the injection of arbitrary HTML attributes, bypassing auto-escaping and potentially circumventing attribute validation checks.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1057 0 None None None 2024-02-29 19:41:55 UTC
Red Hat Product Errata RHSA-2024:1155 0 None None None 2024-03-05 18:08:51 UTC
Red Hat Product Errata RHSA-2024:1536 0 None None None 2024-03-27 13:19:10 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:25 UTC
Red Hat Product Errata RHSA-2024:1878 0 None None None 2024-04-18 01:52:04 UTC
Red Hat Product Errata RHSA-2024:2010 0 None None None 2024-04-23 17:17:08 UTC
Red Hat Product Errata RHSA-2024:2132 0 None None None 2024-04-30 09:35:18 UTC
Red Hat Product Errata RHSA-2024:2348 0 None None None 2024-04-30 10:04:39 UTC
Red Hat Product Errata RHSA-2024:2733 0 None None None 2024-05-22 20:35:22 UTC
Red Hat Product Errata RHSA-2024:2968 0 None None None 2024-05-22 09:23:40 UTC
Red Hat Product Errata RHSA-2024:2987 0 None None None 2024-05-22 09:26:51 UTC
Red Hat Product Errata RHSA-2024:3102 0 None None None 2024-05-22 09:45:28 UTC
Red Hat Product Errata RHSA-2024:3927 0 None None None 2024-06-13 14:33:30 UTC

Description TEJ RATHI 2024-01-11 10:25:24 UTC
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

https://github.com/pallets/jinja/releases/tag/3.1.3
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95

Comment 1 TEJ RATHI 2024-01-11 11:39:48 UTC
Upstream Commit: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)

Comment 2 TEJ RATHI 2024-01-11 11:41:34 UTC
Created mingw-python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2257865]


Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2257864]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-all [bug 2257868]


Created python3.11-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2257867]


Created python39-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2257866]

Comment 13 errata-xmlrpc 2024-02-29 19:41:53 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057

Comment 14 errata-xmlrpc 2024-03-05 18:08:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155

Comment 15 errata-xmlrpc 2024-03-27 13:19:07 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:1536 https://access.redhat.com/errata/RHSA-2024:1536

Comment 16 errata-xmlrpc 2024-04-02 19:30:21 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640

Comment 17 errata-xmlrpc 2024-04-18 01:52:01 UTC
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878

Comment 18 errata-xmlrpc 2024-04-23 17:17:05 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010

Comment 19 errata-xmlrpc 2024-04-30 09:35:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132

Comment 20 errata-xmlrpc 2024-04-30 10:04:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2348 https://access.redhat.com/errata/RHSA-2024:2348

Comment 21 errata-xmlrpc 2024-05-22 09:23:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2968 https://access.redhat.com/errata/RHSA-2024:2968

Comment 22 errata-xmlrpc 2024-05-22 09:26:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2987 https://access.redhat.com/errata/RHSA-2024:2987

Comment 23 errata-xmlrpc 2024-05-22 09:45:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3102 https://access.redhat.com/errata/RHSA-2024:3102

Comment 24 errata-xmlrpc 2024-05-22 20:35:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2733 https://access.redhat.com/errata/RHSA-2024:2733

Comment 25 errata-xmlrpc 2024-06-13 14:33:25 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2024:3927 https://access.redhat.com/errata/RHSA-2024:3927


Note You need to log in before you can comment on or make changes to this bug.