CVE-2024-22195

Jinja vulnerable to Cross-Site Scripting (XSS)

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Jinja es un motor de plantillas extensible. Los marcadores de posición especiales en la plantilla permiten escribir código similar a la sintaxis de Python. Es posible inyectar atributos HTML arbitrarios en la plantilla HTML renderizada, lo que podría generar cross site scripting (XSS). Se puede abusar del filtro Jinja `xmlattr` para inyectar claves y valores de atributos HTML arbitrarios, evitando el mecanismo de escape automático y potencialmente conduciendo a XSS. También es posible omitir las comprobaciones de validación de atributos si están basadas en listas negras.

A cross-site scripting (XSS) flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. This misuse of the xmlattr filter enables the injection of arbitrary HTML attributes, bypassing auto-escaping and potentially circumventing attribute validation checks.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-08 CVE Reserved
2024-01-11 CVE Published
2024-01-31 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (8)

URL	Tag	Source
https://github.com/pallets/jinja/releases/tag/3.1.3	Release Notes
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-22195	2024-06-13
https://bugzilla.redhat.com/show_bug.cgi?id=2257854	2024-06-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Palletsprojects Search vendor "Palletsprojects"		Jinja Search vendor "Palletsprojects" for product "Jinja"				< 3.1.3 Search vendor "Palletsprojects" for product "Jinja" and version " < 3.1.3"		-		Affected