Headline
GHSA-h75v-3vvj-5mfj: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.
Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.
The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.
Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.
References
- GHSA-h75v-3vvj-5mfj
- pallets/jinja@0668239
Related news
Red Hat Security Advisory 2024-4616-03 - Red Hat OpenShift Container Platform release 4.16.4 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-4522-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4427-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-4414-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-4404-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.
Ubuntu Security Notice 6787-1 - It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting attack.