Bug 1218722 (CVE-2024-22195) - VUL-0: CVE-2024-22195: python-Jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
Summary: VUL-0: CVE-2024-22195: python-Jinja2: HTML attribute injection when passing u...
Status: IN_PROGRESS
Alias: CVE-2024-22195
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/390799/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-22195:5.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-11 10:25 UTC by SMASH SMASH
Modified: 2024-07-12 16:30 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-11 10:25:08 UTC 
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22195
https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7
https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
https://www.cve.org/CVERecord?id=CVE-2024-22195
https://github.com/pallets/jinja/releases/tag/3.1.3
Comment 1 Thomas Leroy 2024-01-11 10:26:42 UTC 
Affected:

- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update (wontfix due to CVSS to low)
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update (wontfix due to CVSS to low)
- SUSE:SLE-12:Update
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15:Update
Comment 2 OBSbugzilla Bot 2024-01-12 11:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1218722) was mentioned in
https://build.opensuse.org/request/show/1138254 Factory / python-Jinja2
Comment 5 Christian Almeida de Oliveira 2024-02-05 13:03:20 UTC 
SOC products are under LTSS, it means that only CVE's with a cvss higher than 7 are to be considered, which is not the case for this CVE.
No actions from Cloud-bugs side.
BAck to Security team.
Comment 7 Christian Almeida de Oliveira 2024-04-22 06:09:28 UTC 
Hi Stoyan,

Good question! :-)
Cloud-bugs was maintaining only SLE-12-SP3 and SLE-12-SP4 code streams.
@robert.simai @jeremy.moffitt could you please comment here?
Comment 8 Jeremy Moffitt 2024-04-22 14:28:55 UTC 
Not sure what the options are, but I believe cloud-bugs is only associated with python-Jinja2 due to its use in SOC. It's not really a "cloud" software package and is more of a generic web template package. I believe it was included in SOC for use  with ansible and we relied on it heavily in the Ardana configuration processor.
Comment 16 Maintenance Automation 2024-07-12 16:30:54 UTC 
SUSE-SU-2024:1863-2: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1218722, 1223980
CVE References: CVE-2024-22195, CVE-2024-34064
Maintenance Incident: [SUSE:Maintenance:33877](https://smelt.suse.de/incident/33877/)
Sources used:
SUSE Linux Enterprise Micro 5.5 (src):
 python-Jinja2-2.10.1-150000.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.