CVE-2024-22195

CVE-2024-22195

Name

CVE-2024-22195

Description

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/pallets/jinja/releases/tag/3.1.3
CONFIRM	https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html

Type

URI

MISC

https://github.com/pallets/jinja/releases/tag/3.1.3

CONFIRM

https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/

security-advisories@github.com

https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html

CPE URI	Source package	Min version	Max version
	jinja	>= 0	< 3.1.3

CPE URI

Source package

Min version

Max version

jinja

>= 0

< 3.1.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-jinja2	edge-main	3.1.3-r0	Matt Smith <mcs@darkregion.net>	fixed
py3-jinja2	3.22-main	3.1.3-r0	None	fixed
py3-jinja2	3.21-main	3.1.3-r0	None	fixed
py3-jinja2	3.20-main	3.1.3-r0	None	fixed
py3-jinja2	3.19-main	3.1.4-r0	Matt Smith <mcs@darkregion.net>	fixed
py3-jinja2	3.18-main	3.1.4-r0	Matt Smith <mcs@darkregion.net>	fixed
py3-jinja2	3.17-main	3.1.4-r0	Matt Smith <mcs@darkregion.net>	fixed

Source package

Branch

Version

Maintainer

Status

py3-jinja2

edge-main

3.1.3-r0

Matt Smith <mcs@darkregion.net>

fixed

py3-jinja2

3.22-main