ALAS-2024-503

Amazon Linux 2023 Security Advisory: ALAS-2024-503
Advisory Release Date: 2024-02-01 17:56 Pacific
Advisory Updated Date: 2024-02-06 15:00 Pacific

Severity: Medium

References: CVE-2024-22195
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. (CVE-2024-22195)

Affected Packages:

python-jinja2

Issue Correction:
Run dnf update python-jinja2 --releasever 2023.3.20240205 to update your system.

New Packages:

noarch:
    python3-jinja2-2.11.3-1.amzn2023.0.3.noarch

src:
    python-jinja2-2.11.3-1.amzn2023.0.3.src

Additional References

Red Hat: CVE-2024-22195

Mitre: CVE-2024-22195

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-503

Additional References