ALAS-2024-2436

Amazon Linux 2 Security Advisory: ALAS-2024-2436
Advisory Release Date: 2024-02-01 19:57 Pacific
Advisory Updated Date: 2024-02-01 19:57 Pacific

Severity: Medium

References: CVE-2024-22195
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. (CVE-2024-22195)

Affected Packages:

python-jinja2

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-jinja2 to update your system.

New Packages:

noarch:
    python-jinja2-2.7.2-3.amzn2.0.1.noarch

src:
    python-jinja2-2.7.2-3.amzn2.0.1.src

Additional References

Red Hat: CVE-2024-22195

Mitre: CVE-2024-22195

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-2436

Additional References