CVE-2024-34064
MediumVulnerability Description
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Known Affected Software
46 configuration(s) from 2 vendor(s)
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.6:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.0.0:-:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.10.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.10.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.11.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.7.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.11.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.1.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.4:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.0:-:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.11.0:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.6:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.7.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.7:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.10.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.9.5:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.11.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.8:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.5:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.10:*:*:*:*:*:*:*
cpe:2.3:a:palletsprojects:jinja:2.4:*:*:*:*:*:*:*
2025-Feb-CVE-2024-34064
CVE-2024-34064: None
2025-Jan-CVE-2024-34064
CVE-2024-34064: None
2024-May-CVE-2024-34064
CVE-2024-34064: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
2025-Apr-CVE-2024-34064
CVE-2024-34064: None
CPUJUL2025
Oracle Critical Patch Update Advisory - July 2025
CPUAPR2025
Oracle Critical Patch Update Advisory - April 2025
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cbsecurity-advisories@github.com Patch
-
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfjsecurity-advisories@github.com Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/security-advisories@github.com Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/security-advisories@github.com Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/security-advisories@github.com Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/security-advisories@github.com Mailing List
-
https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cbaf854a3a-2127-422b-91ae-364da2661108 Patch
-
https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfjaf854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2024/12/msg00009.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/af854a3a-2127-422b-91ae-364da2661108 Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/af854a3a-2127-422b-91ae-364da2661108 Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/af854a3a-2127-422b-91ae-364da2661108 Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/af854a3a-2127-422b-91ae-364da2661108 Mailing List
Severity Details
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Description
- The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Exploit Likelihood
- High
- Typical Severity
- Medium
- OWASP Top 10
- A03:2021-Injection
- Abstraction Level
- Base
Key Information
- Published Date
- May 06, 2024
