Source: jinja2 Version: 3.1.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for jinja2. CVE-2024-22195[0]: | Jinja is an extensible templating engine. Special placeholders in | the template allow writing code similar to Python syntax. It is | possible to inject arbitrary HTML attributes into the rendered HTML | template, potentially leading to Cross-Site Scripting (XSS). The | Jinja `xmlattr` filter can be abused to inject arbitrary HTML | attribute keys and values, bypassing the auto escaping mechanism and | potentially leading to XSS. It may also be possible to bypass | attribute validation checks if they are blacklist-based. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22195 https://www.cve.org/CVERecord?id=CVE-2024-22195 [1] https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95 [2] https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 Please adjust the affected versions in the BTS as needed. Regards, Salvatore