OESA-2024-1605

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1605

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-1605.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2024-1605

Upstream

CVE-2024-34064

Published

2024-05-17T11:08:02Z

Modified

2025-08-12T05:43:50.594126Z

Summary

python-jinja2 security update

Details

Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important.

Security Fix(es):

Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe. This vulnerability is fixed in 3.1.4.(CVE-2024-34064)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.2-7.oe1

Ecosystem specific

{
    "noarch": [
        "python3-jinja2-2.11.2-7.oe1.noarch.rpm",
        "python-jinja2-help-2.11.2-7.oe1.noarch.rpm",
        "python2-jinja2-2.11.2-7.oe1.noarch.rpm"
    ],
    "src": [
        "python-jinja2-2.11.2-7.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP4 / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.2-7.oe2003sp4

Ecosystem specific

{
    "noarch": [
        "python3-jinja2-2.11.2-7.oe2003sp4.noarch.rpm",
        "python2-jinja2-2.11.2-7.oe2003sp4.noarch.rpm",
        "python-jinja2-help-2.11.2-7.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "python-jinja2-2.11.2-7.oe2003sp4.src.rpm"
    ]
}

openEuler:22.03-LTS / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.3-4.oe2203sp3

Ecosystem specific

{
    "noarch": [
        "python3-jinja2-3.0.3-4.oe2203.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203.noarch.rpm",
        "python3-jinja2-3.0.3-4.oe2203sp1.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203sp1.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203sp2.noarch.rpm",
        "python3-jinja2-3.0.3-4.oe2203sp2.noarch.rpm",
        "python3-jinja2-3.0.3-4.oe2203sp3.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203sp3.noarch.rpm"
    ],
    "src": [
        "python-jinja2-3.0.3-4.oe2203.src.rpm",
        "python-jinja2-3.0.3-4.oe2203sp1.src.rpm",
        "python-jinja2-3.0.3-4.oe2203sp2.src.rpm",
        "python-jinja2-3.0.3-4.oe2203sp3.src.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.3-4.oe2203sp1

Ecosystem specific

{
    "noarch": [
        "python3-jinja2-3.0.3-4.oe2203sp1.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203sp1.noarch.rpm"
    ],
    "src": [
        "python-jinja2-3.0.3-4.oe2203sp1.src.rpm"
    ]
}

openEuler:22.03-LTS-SP2 / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.3-4.oe2203sp2

Ecosystem specific

{
    "noarch": [
        "python-jinja2-help-3.0.3-4.oe2203sp2.noarch.rpm",
        "python3-jinja2-3.0.3-4.oe2203sp2.noarch.rpm"
    ],
    "src": [
        "python-jinja2-3.0.3-4.oe2203sp2.src.rpm"
    ]
}

openEuler:22.03-LTS-SP3 / python-jinja2

Package

Name: python-jinja2
Purl: pkg:rpm/openEuler/python-jinja2&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.3-4.oe2203sp3

Ecosystem specific

{
    "noarch": [
        "python3-jinja2-3.0.3-4.oe2203sp3.noarch.rpm",
        "python-jinja2-help-3.0.3-4.oe2203sp3.noarch.rpm"
    ],
    "src": [
        "python-jinja2-3.0.3-4.oe2203sp3.src.rpm"
    ]
}