Bug 2279476 (CVE-2024-34064) - CVE-2024-34064 jinja2: accepts keys containing non-attribute characters
Summary: CVE-2024-34064 jinja2: accepts keys containing non-attribute characters
Keywords:
Status: NEW
Alias: CVE-2024-34064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2279477 2279478 2279480 2279487 2279489 2279490 2292741 2279479 2279481 2279482 2279483 2279484 2279485 2279486 2279488 2279491
Blocks: 2279475
TreeView+ depends on / blocked
 
Reported: 2024-05-07 06:30 UTC by Rohit Keshri
Modified: 2024-09-04 20:32 UTC (History)
84 users (show)

Fixed In Version: jinja2 3.1.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jinja2. The `xmlattr` filter accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could inject other attributes and perform cross-site scripting (XSS).
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3781 0 None None None 2024-06-10 18:38:01 UTC
Red Hat Product Errata RHSA-2024:3795 0 None None None 2024-06-11 13:09:02 UTC
Red Hat Product Errata RHSA-2024:3811 0 None None None 2024-06-11 17:29:48 UTC
Red Hat Product Errata RHSA-2024:3820 0 None None None 2024-06-11 19:40:18 UTC
Red Hat Product Errata RHSA-2024:4231 0 None None None 2024-07-02 15:21:22 UTC
Red Hat Product Errata RHSA-2024:4404 0 None None None 2024-07-09 08:48:40 UTC
Red Hat Product Errata RHSA-2024:4414 0 None None None 2024-07-09 09:20:58 UTC
Red Hat Product Errata RHSA-2024:4427 0 None None None 2024-07-09 12:51:07 UTC
Red Hat Product Errata RHSA-2024:4522 0 None None None 2024-07-12 01:40:51 UTC
Red Hat Product Errata RHSA-2024:4616 0 None None None 2024-07-24 19:09:30 UTC
Red Hat Product Errata RHSA-2024:4958 0 None None None 2024-08-07 02:04:55 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:42:01 UTC
Red Hat Product Errata RHSA-2024:5662 0 None None None 2024-08-20 20:30:48 UTC
Red Hat Product Errata RHSA-2024:6011 0 None None None 2024-09-04 08:13:33 UTC

Description Rohit Keshri 2024-05-07 06:30:20 UTC
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj

Comment 1 Rohit Keshri 2024-05-07 06:36:32 UTC
Created mingw-python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2279486]


Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 2279491]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-all [bug 2279489]


Created python3.11-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2279487]


Created python39-jinja2-epel tracking bugs for this issue:

Affects: epel-all [bug 2279488]

Comment 8 errata-xmlrpc 2024-06-10 18:37:56 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781

Comment 9 errata-xmlrpc 2024-06-11 13:08:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:3795 https://access.redhat.com/errata/RHSA-2024:3795

Comment 10 errata-xmlrpc 2024-06-11 17:29:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3811 https://access.redhat.com/errata/RHSA-2024:3811

Comment 11 errata-xmlrpc 2024-06-11 19:40:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3820 https://access.redhat.com/errata/RHSA-2024:3820

Comment 12 errata-xmlrpc 2024-07-02 15:21:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4231 https://access.redhat.com/errata/RHSA-2024:4231

Comment 13 errata-xmlrpc 2024-07-09 08:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4404 https://access.redhat.com/errata/RHSA-2024:4404

Comment 14 errata-xmlrpc 2024-07-09 09:20:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4414 https://access.redhat.com/errata/RHSA-2024:4414

Comment 15 errata-xmlrpc 2024-07-09 12:51:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4427 https://access.redhat.com/errata/RHSA-2024:4427

Comment 16 errata-xmlrpc 2024-07-12 01:40:46 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:4522 https://access.redhat.com/errata/RHSA-2024:4522

Comment 17 errata-xmlrpc 2024-07-24 19:09:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4616 https://access.redhat.com/errata/RHSA-2024:4616

Comment 19 errata-xmlrpc 2024-08-07 02:04:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4958 https://access.redhat.com/errata/RHSA-2024:4958

Comment 20 errata-xmlrpc 2024-08-20 20:30:42 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:5662 https://access.redhat.com/errata/RHSA-2024:5662

Comment 21 errata-xmlrpc 2024-08-22 11:41:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433

Comment 24 errata-xmlrpc 2024-09-04 08:13:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6011 https://access.redhat.com/errata/RHSA-2024:6011


Note You need to log in before you can comment on or make changes to this bug.