CVE-2024-22195: Jinja vulnerable to Cross-Site Scripting (XSS)
First published: Thu Jan 11 2024(Updated: )
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jinja2 | <3.1.3 | 3.1.3 |
| debian/jinja2 | <=2.10-2<=2.11.3-1<=3.1.2-1 | 2.10-2+deb10u1 3.1.3-1 |
| ubuntu/jinja2 | <2.10-1ubuntu0.18.04.1+ | 2.10-1ubuntu0.18.04.1+ |
| ubuntu/jinja2 | <2.10.1-2ubuntu0.2 | 2.10.1-2ubuntu0.2 |
| ubuntu/jinja2 | <3.0.3-1ubuntu0.1 | 3.0.3-1ubuntu0.1 |
| ubuntu/jinja2 | <3.1.2-1ubuntu0.23.10.1 | 3.1.2-1ubuntu0.23.10.1 |
| ubuntu/jinja2 | <3.1.2-1ubuntu1 | 3.1.2-1ubuntu1 |
| ubuntu/jinja2 | <2.7.2-2ubuntu0.1~ | 2.7.2-2ubuntu0.1~ |
| ubuntu/jinja2 | <2.8-1ubuntu0.1+ | 2.8-1ubuntu0.1+ |
| redhat/jinja2 | <3.1.3 | 3.1.3 |
| F5 Traffix Systems Signaling Delivery Controller | =5.1.0 | 5.2.0 |
| Jinja | <3.1.3 | |
| IBM QRadar Security Information and Event Manager | <=7.5 - 7.5.0 UP9 IF03 | |
| IBM Security QRadar Incident Forensics | <=7.5 - 7.5.0 UP9 IF03 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pallets/jinja/releases/tag/3.1.3
- https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/
- https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html
- https://launchpad.net/bugs/cve/CVE-2024-22195
- https://nvd.nist.gov/vuln/detail/CVE-2024-22195
- https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7
- https://github.com/advisories/GHSA-h5c8-rqwp-cp95 (Advisory)
- https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
- https://security-tracker.debian.org/tracker/CVE-2024-22195
- https://ubuntu.com/security/notices/USN-6599-1
- https://www.cve.org/CVERecord?id=CVE-2024-22195
- https://ubuntu.com/security/CVE-2024-22195
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257865
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257864
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257868
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257867
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257866
- https://access.redhat.com/errata/RHSA-2024:1057
- https://access.redhat.com/errata/RHSA-2024:1155
- https://access.redhat.com/errata/RHSA-2024:1536
- https://access.redhat.com/errata/RHSA-2024:1640
- https://access.redhat.com/errata/RHSA-2024:1878
- https://access.redhat.com/errata/RHSA-2024:2010
- https://access.redhat.com/errata/RHSA-2024:2132
- https://access.redhat.com/errata/RHSA-2024:2348
- https://access.redhat.com/errata/RHSA-2024:2968
- https://access.redhat.com/errata/RHSA-2024:2987
- https://access.redhat.com/errata/RHSA-2024:3102
- https://access.redhat.com/errata/RHSA-2024:2733
- https://access.redhat.com/errata/RHSA-2024:3927
- https://bugzilla.redhat.com/show_bug.cgi?id=2257854
- https://www.ibm.com/support/pages/node/7173420 (Advisory)
- https://my.f5.com/manage/s/article/K000141253
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3
Frequently Asked Questions
What is the severity of CVE-2024-22195?
The severity of CVE-2024-22195 is categorized as high due to the potential for Cross-Site Scripting (XSS) attacks.
How do I fix CVE-2024-22195?
To fix CVE-2024-22195, update your Jinja2 version to at least 3.1.3 or the specific patched versions for your operating system.
What vulnerability does CVE-2024-22195 exploit?
CVE-2024-22195 exploits a flaw in the Jinja templating engine that allows the injection of arbitrary HTML attributes leading to XSS.
Which software is affected by CVE-2024-22195?
CVE-2024-22195 affects Jinja2 versions below 3.1.3 and various products including IBM QRadar SIEM and F5 Traffix SDC.
What is the potential impact of CVE-2024-22195 on web applications?
The potential impact of CVE-2024-22195 on web applications includes the ability for attackers to inject malicious scripts into web pages viewed by users.
- agent/type
- agent/title
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/github-advisory
- source/GitHub
- alias/GHSA-h5c8-rqwp-cp95
- alias/CVE-2024-22195
- agent/software-canonical-lookup
- agent/weakness
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/severity
- agent/trending
- agent/source
- collector/f5-advisory
- source/F5
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/github-advisory-latest
- agent/last-modified-date
- agent/author
- agent/references
- agent/tags
- collector/nvd-api
- agent/softwarecombine
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/pip
- package-manager/debian
- package-manager/ubuntu
- package-manager/redhat
- vendor/f5
- canonical/f5 traffix systems signaling delivery controller
- version/f5 traffix systems signaling delivery controller/5.1.0
- vendor/palletsprojects
- canonical/jinja
- vendor/ibm
- canonical/ibm qradar security information and event manager
- version/ibm qradar security information and event manager/7.5 - 7.5.0 up9 if03
- canonical/ibm security qradar incident forensics
- version/ibm security qradar incident forensics/7.5 - 7.5.0 up9 if03