jinja2@2.1.1 vulnerabilities

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the xmlattr filter. An attacker can manipulate the output of web pages by injecting additional attributes into elements, potentially leading to unauthorized actions or information disclosure.

Note: This vulnerability derives from an improper fix of CVE-2024-22195, which only addressed spaces but not other characters.

Upgrade Jinja2 to version 3.1.4 or higher.

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the xmlattr filter, when using keys containing spaces in an application accepts keys as user input. An attacker can inject arbitrary HTML attributes into the rendered HTML template, bypassing the auto-escaping mechanism, which may lead to the execution of untrusted scripts in the context of the user's browser session.

Note Accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

Upgrade Jinja2 to version 3.1.3 or higher.

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation.

This issue can be mitigated by using Markdown to format user content instead of the urlize filter, or by implementing request timeouts or limiting process memory.

PoC by Yeting Li

from jinja2.utils import urlize
from time import perf_counter

for i in range(3):
    text = "abc@" + "." * (i+1)*5000 + "!"
    LEN = len(text)
    BEGIN = perf_counter()
    urlize(text)
    DURATION = perf_counter() - BEGIN
    print(f"{LEN}: took {DURATION} seconds!")

Upgrade Jinja2 to version 2.11.3 or higher.

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Sandbox Escape via the str.format_map. This vulnerability requires the attacker to have information about sensitive attributes, and exploiting it could allow the attacker to access sensitive content.

Upgrade Jinja2 to version 2.10.1 or higher.

Jinja2 is a template engine written in pure Python. It provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.

Affected versions of this package are vulnerable to Privilege Escalation due to not properly creating temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's UID.

NOTE: This vulnerability exists because of an incomplete fix for CVE-2014-1402.

Upgrade Jinja2 to version 2.7.2 or higher.

Jinja2 is a small but fast and easy to use stand-alone template engine written in pure python.

Affected versions of this package are vulnerable to Insecure Defaults attacks. The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with jinja2 in /tmp.

Upgrade to version 2.7.2 or greater.