AmazonALAS-2024-2437

HistoryFeb 01, 2024 - 7:57 p.m.

Medium: python3-jinja2

2024-02-0119:57:00

alas.aws.amazon.com

jinja

templating

xss

python3-jinja2

cve-2024-22195

red hat

mitre

security

0.001 Low

EPSS

Percentile

40.9%

JSON

Issue Overview:

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. (CVE-2024-22195)

Affected Packages:

python3-jinja2

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python3-jinja2 to update your system.

New Packages:

noarch:  
    python3-jinja2-2.7.2-4.amzn2.0.3.noarch  
  
src:  
    python3-jinja2-2.7.2-4.amzn2.0.3.src

Additional References

Red Hat: CVE-2024-22195

Mitre: CVE-2024-22195

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchpython3-jinja2< 2.7.2-4.amzn2.0.3python3-jinja2-2.7.2-4.amzn2.0.3.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	noarch	python3-jinja2	< 2.7.2-4.amzn2.0.3	python3-jinja2-2.7.2-4.amzn2.0.3.noarch.rpm

0.001 Low

EPSS

Percentile

40.9%

JSON

Related for ALAS-2024-2437