Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. https://github.com/pallets/jinja/releases/tag/3.1.3 https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
Upstream Commit: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)
Created mingw-python-jinja2 tracking bugs for this issue: Affects: fedora-all [bug 2257865] Created python-jinja2 tracking bugs for this issue: Affects: fedora-all [bug 2257864] Created python3-jinja2 tracking bugs for this issue: Affects: epel-all [bug 2257868] Created python3.11-jinja2-epel tracking bugs for this issue: Affects: epel-all [bug 2257867] Created python39-jinja2-epel tracking bugs for this issue: Affects: epel-all [bug 2257866]
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2024:1536 https://access.redhat.com/errata/RHSA-2024:1536
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2348 https://access.redhat.com/errata/RHSA-2024:2348
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2968 https://access.redhat.com/errata/RHSA-2024:2968
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2987 https://access.redhat.com/errata/RHSA-2024:2987
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3102 https://access.redhat.com/errata/RHSA-2024:3102
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2733 https://access.redhat.com/errata/RHSA-2024:2733