USN-6787-1: Jinja2 vulnerability
First published: Tue May 28 2024(Updated: )
It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting (XSS) attack.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/python3-jinja2 | <3.1.2-1ubuntu1.1 | 3.1.2-1ubuntu1.1 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/python3-jinja2 | <3.1.2-1ubuntu0.23.10.2 | 3.1.2-1ubuntu0.23.10.2 |
| Ubuntu | =23.10 | |
| All of | ||
| ubuntu/python3-jinja2 | <3.0.3-1ubuntu0.2 | 3.0.3-1ubuntu0.2 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/python-jinja2 | <2.10.1-2ubuntu0.3 | 2.10.1-2ubuntu0.3 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/python3-jinja2 | <2.10.1-2ubuntu0.3 | 2.10.1-2ubuntu0.3 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/python-jinja2 | <2.10-1ubuntu0.18.04.1+esm2 | 2.10-1ubuntu0.18.04.1+esm2 |
| Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python3-jinja2 | <2.10-1ubuntu0.18.04.1+esm2 | 2.10-1ubuntu0.18.04.1+esm2 |
| Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python-jinja2 | <2.8-1ubuntu0.1+esm3 | 2.8-1ubuntu0.1+esm3 |
| Ubuntu | =16.04 | |
| All of | ||
| ubuntu/python3-jinja2 | <2.8-1ubuntu0.1+esm3 | 2.8-1ubuntu0.1+esm3 |
| Ubuntu | =16.04 | |
| All of | ||
| ubuntu/python-jinja2 | <2.7.2-2ubuntu0.1~esm3 | 2.7.2-2ubuntu0.1~esm3 |
| Ubuntu | =14.04 | |
| All of | ||
| ubuntu/python3-jinja2 | <2.7.2-2ubuntu0.1~esm3 | 2.7.2-2ubuntu0.1~esm3 |
| Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2024-34064
- https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.1
- https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.2
- https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.2
- https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.3
- https://ubuntu.com/security/notices/USN-6787-1 (Advisory)
Frequently Asked Questions
What is the severity of USN-6787-1?
The severity of USN-6787-1 is high due to the potential for cross-site scripting (XSS) attacks.
How do I fix USN-6787-1?
To fix USN-6787-1, upgrade to the appropriate remedied version of python3-jinja2 for your specific Ubuntu release.
Which versions of Ubuntu are affected by USN-6787-1?
USN-6787-1 affects multiple versions of Ubuntu, including 14.04, 16.04, 18.04, 20.04, 22.04, 23.10, and 24.04.
What is the cause of the vulnerability in USN-6787-1?
The vulnerability in USN-6787-1 is caused by Jinja2's improper handling of HTML attributes accepted by the xmlattr filter.
Is there a workaround for USN-6787-1?
There is no recommended workaround for USN-6787-1; updating to the fixed version is necessary to mitigate the vulnerability.
- agent/severity
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu
- version/ubuntu/24.04
- version/ubuntu/23.10
- version/ubuntu/22.04
- version/ubuntu/20.04
- version/ubuntu/18.04
- version/ubuntu/16.04
- version/ubuntu/14.04