Vulmon
Amazon Linux 2 Security Advisory: ALAS-2024-2436
Advisory Release Date: 2024-02-01 19:57 Pacific
Advisory Updated Date: 2024-02-01 19:57 Pacific
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. (CVE-2024-22195)
Affected Packages:
python-jinja2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-jinja2 to update your system.
noarch:
python-jinja2-2.7.2-3.amzn2.0.1.noarch
src:
python-jinja2-2.7.2-3.amzn2.0.1.src