Jinja is a popular extensible templating engine widely used in Python web applications. A vulnerability has been discovered in the xmlattr filter of certain Jinja versions, which allows attackers to inject other attributes and perform Cross-Site Scripting (XSS) attacks. This issue poses a threat when applications accept keys (as opposed to only values) as user input and render them in pages that other users access. The previously released fix, CVE-2024-22195, only addressed spaces but not other characters. Jinja has now released version 3.1.4, which fixes this vulnerability.
Here's an example of vulnerable code using the xmlattr filter
from jinja2 import Environment, DictLoader
env = Environment(loader=DictLoader({
"template": "{{ data|xmlattr }}"
}))
data = {
"name": "John Doe",
"style": "color: red;",
"onclick": "alert('XSS');",
}
print(env.get_template("template").render(data=data))
A user could inject other attributes like onclick and perform an XSS attack, as shown in the code snippet above.
The issue was first reported in the Jinja repository
The advisory for the vulnerability can be found here
Jinja has released a fixed version 3.1.4, which addresses the issue
Exploit Details
The exploit only works when applications accept keys as user input and render these keys in pages that other users access. If an attacker submits keys containing non-attribute characters like spaces, /, >, or =, these characters would be interpreted as starting separate attributes, allowing the attacker to inject harmful attributes.
This vulnerability can be exploited to perform XSS attacks, as demonstrated in the code snippet provided earlier.
Mitigation Measures
The vulnerability is fixed in Jinja version 3.1.4, which no longer allows the xmlattr filter to accept keys containing non-attribute characters.
Developers should update their applications to use Jinja 3.1.4 to protect against this vulnerability. Additionally, they should ensure that their applications do not accept keys as user input without proper input validation.
Accepting values as user input continues to be safe with the xmlattr filter.
`
2. Review your application code to ensure that it does not accept keys as user input without proper input validation. If it does, apply appropriate input validation mechanisms.
Timeline
Published on: 05/06/2024 15:15:23 UTC
Last modified on: 06/10/2024 18:15:34 UTC