CVE-2024-22195 : Jinja is an extensible templating engine. Special placeholders in the template a

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Published 2024-01-11 03:15:11

Updated 2025-02-13 18:16:47

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2024-22195

Palletsprojects » Jinja
Versions before (<) 3.1.3
cpe:2.3:a:palletsprojects:jinja:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-22195

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 22 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-22195

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST	2024-01-17
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	GitHub, Inc.	2024-01-11
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	N/A	N/A	RedHat-CVE-2024-22195	2024-01-11
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2024-22195

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2024-22195

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/

[SECURITY] Fedora 39 Update: mingw-python-jinja2-3.1.3-1.fc39 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/

[SECURITY] Fedora 39 Update: python-jinja2-3.1.3-1.fc39 - package-announce - Fedora Mailing-Lists
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95

HTML attribute injection when passing user input as keys to xmlattr filter · Advisory · pallets/jinja · GitHub
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html

[SECURITY] [DLA 3715-1] jinja2 security update
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/

[SECURITY] Fedora 38 Update: python-jinja2-3.1.3-1.fc38 - package-announce - Fedora Mailing-Lists
https://github.com/pallets/jinja/releases/tag/3.1.3

Release 3.1.3 · pallets/jinja · GitHub
Release Notes

Jump to

Vulnerability Details : CVE-2024-22195

Products affected by CVE-2024-22195

Exploit prediction scoring system (EPSS) score for CVE-2024-22195

CVSS scores for CVE-2024-22195

CWE ids for CVE-2024-22195

References for CVE-2024-22195