Headline
Ubuntu Security Notice USN-6787-1
Ubuntu Security Notice 6787-1 - It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting attack.
==========================================================================
Ubuntu Security Notice USN-6787-1
May 28, 2024
jinja2 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Jinja2 could allow cross-site scripting (XSS) attacks.
Software Description:
- jinja2: small but fast and easy to use stand-alone template engine
Details:
It was discovered that Jinja2 incorrectly handled certain HTML attributes
that were accepted by the xmlattr filter. An attacker could use this issue
to inject arbitrary HTML attribute keys and values to potentially execute
a cross-site scripting (XSS) attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-jinja2 3.1.2-1ubuntu1.1
Ubuntu 23.10
python3-jinja2 3.1.2-1ubuntu0.23.10.2
Ubuntu 22.04 LTS
python3-jinja2 3.0.3-1ubuntu0.2
Ubuntu 20.04 LTS
python-jinja2 2.10.1-2ubuntu0.3
python3-jinja2 2.10.1-2ubuntu0.3
Ubuntu 18.04 LTS
python-jinja2 2.10-1ubuntu0.18.04.1+esm2
Available with Ubuntu Pro
python3-jinja2 2.10-1ubuntu0.18.04.1+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-jinja2 2.8-1ubuntu0.1+esm3
Available with Ubuntu Pro
python3-jinja2 2.8-1ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python-jinja2 2.7.2-2ubuntu0.1~esm3
Available with Ubuntu Pro
python3-jinja2 2.7.2-2ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6787-1
CVE-2024-34064
Package Information:
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.2
https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.2
https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.3
Related news
Red Hat Security Advisory 2024-4616-03 - Red Hat OpenShift Container Platform release 4.16.4 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-4522-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4427-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-4414-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-4404-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.