CVE-2024-34064 : Jinja is an extensible templating engine. The `xmlattr` filter in affected versi

Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

Published 2024-05-06 14:41:40

Updated 2025-02-04 17:15:19

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2024-34064

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-34064

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-34064

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	GitHub, Inc.	2024-05-06
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2024-34064

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- security-advisories@github.com (Primary)

References for CVE-2024-34064

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/

[SECURITY] Fedora 39 Update: python-jinja2-3.1.4-1.fc39 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/

[SECURITY] Fedora 40 Update: python-jinja2-3.1.4-1.fc40 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/

[SECURITY] Fedora 39 Update: mingw-python-jinja2-3.1.4-1.fc39 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/

[SECURITY] Fedora 40 Update: mingw-python-jinja2-3.1.4-1.fc40 - package-announce - Fedora Mailing-Lists
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter · Advisory · pallets/jinja · GitHub
https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb

Merge pull request from GHSA-h75v-3vvj-5mfj · pallets/jinja@0668239 · GitHub

Jump to

Vulnerability Details : CVE-2024-34064

Products affected by CVE-2024-34064

Exploit prediction scoring system (EPSS) score for CVE-2024-34064

CVSS scores for CVE-2024-34064

CWE ids for CVE-2024-34064

References for CVE-2024-34064