Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.
History

Fri, 20 Sep 2024 23:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_ironic:4.12::el9

Fri, 06 Sep 2024 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_ironic:4.13::el9

Wed, 21 Aug 2024 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite
Redhat satellite Capsule
CPEs cpe:/a:redhat:satellite:6.15::el8
cpe:/a:redhat:satellite_capsule:6.15::el8
Vendors & Products Redhat satellite
Redhat satellite Capsule

Wed, 07 Aug 2024 10:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_ironic:4.15::el9

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-06T14:41:39.912Z

Updated: 2024-08-02T02:42:59.945Z

Reserved: 2024-04-30T06:56:33.380Z

Link: CVE-2024-34064

cve-icon Vulnrichment

Updated: 2024-08-02T02:42:59.945Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-06T15:15:23.803

Modified: 2024-11-21T09:18:00.810

Link: CVE-2024-34064

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-05-06T00:00:00Z

Links: CVE-2024-34064 - Bugzilla