CVE-2024-34064Cross-site Scripting in Jinja

CWE-79Cross-site Scripting13 documents9 sources
Severity
5.4MEDIUMNVD
GHSA6.1OSV6.1
EPSS
0.8%
top 25.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Pallets JinjaPocoo Jinja2Palletsprojects Jinja+1 more
Timeline
PublishedMay 6
Latest updateJul 15

Description

Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

PyPIpocoo/jinja2< 3.1.4
CVEListV5pallets/jinja< 3.1.4
Debianpocoo/jinja2< 2.11.3-1+deb11u1+3

Also affects: Fedora 39, 40

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter2024-05-06
GHSA
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter2024-05-06
OSV
CVE-2024-34064: Jinja is an extensible templating engine2024-05-06
OSV
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter2024-05-06

📋Vendor Advisories

8
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Jinja) — CVE-2024-340642025-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Jinja) — CVE-2024-340642025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Install (Jinja) — CVE-2024-340642025-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Install (Jinja2) — CVE-2024-340642024-07-15
Ubuntu
Jinja2 vulnerability2024-05-28
CVE-2024-34064 — Cross-site Scripting in Pallets Jinja | cvebase