Source: jinja2 Version: 3.1.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for jinja2. CVE-2024-34064[0]: | Jinja is an extensible templating engine. The `xmlattr` filter in | affected versions of Jinja accepts keys containing non-attribute | characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or | `=`, as each would then be interpreted as starting a separate | attribute. If an application accepts keys (as opposed to only | values) as user input, and renders these in pages that other users | see as well, an attacker could use this to inject other attributes | and perform XSS. The fix for CVE-2024-22195 only addressed spaces | but not other characters. Accepting keys as user input is now | explicitly considered an unintended use case of the `xmlattr` | filter, and code that does so without otherwise validating the input | should be flagged as insecure, regardless of Jinja version. | Accepting _values_ as user input continues to be safe. This | vulnerability is fixed in 3.1.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34064 https://www.cve.org/CVERecord?id=CVE-2024-34064 [1] https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj [2] https://github.com/pallets/jinja/commit/d655030770081e2dfe46f90e27620472a502289d Please adjust the affected versions in the BTS as needed. Regards, Salvatore