Bug 1223980 (CVE-2024-34064) - VUL-0: CVE-2024-34064: python-Jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
Summary: VUL-0: CVE-2024-34064: python-Jinja2: HTML attribute injection when passing u...
Status: IN_PROGRESS
Alias: CVE-2024-34064
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404496/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-34064:6.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-06 17:04 UTC by SMASH SMASH
Modified: 2024-07-12 16:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-06 17:04:12 UTC 
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34064
https://www.cve.org/CVERecord?id=CVE-2024-34064
https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
Comment 3 OBSbugzilla Bot 2024-05-06 18:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1223980) was mentioned in
https://build.opensuse.org/request/show/1172259 Factory / python-Jinja2
Comment 6 Daniel Garcia 2024-05-08 07:28:46 UTC 
Request with a fix created for all affected codestreams.
Comment 10 Maintenance Automation 2024-06-07 16:30:13 UTC 
SUSE-SU-2024:1948-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1223980
CVE References: CVE-2024-34064
Maintenance Incident: [SUSE:Maintenance:33879](https://smelt.suse.de/incident/33879/)
Sources used:
SUSE Manager Client Tools for SLE 12 (src):
 python-Jinja2-2.8-19.26.1
Advanced Systems Management Module 12 (src):
 python-Jinja2-2.8-19.26.1
Public Cloud Module 12 (src):
 python-Jinja2-2.8-19.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-07-12 16:30:54 UTC 
SUSE-SU-2024:1863-2: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1218722, 1223980
CVE References: CVE-2024-22195, CVE-2024-34064
Maintenance Incident: [SUSE:Maintenance:33877](https://smelt.suse.de/incident/33877/)
Sources used:
SUSE Linux Enterprise Micro 5.5 (src):
 python-Jinja2-2.10.1-150000.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.