Medium severity5.4NVD Advisory· Published Jan 11, 2024· Updated Jun 17, 2026
CVE-2024-22195
CVE-2024-22195
Description
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jinja2PyPI | < 3.1.3 | 3.1.3 |
Affected products
155- osv-coords154 versionspkg:apk/chainguard/checkovpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/py3.10-jinja2pkg:apk/chainguard/py3.11-jinja2pkg:apk/chainguard/py3.12-jinja2pkg:apk/chainguard/py3.13-jinja2pkg:apk/chainguard/py3-jinja2pkg:apk/chainguard/py3-supported-jinja2pkg:apk/chainguard/pytorchpkg:apk/chainguard/reflexpkg:apk/wolfi/checkovpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/py3.10-jinja2pkg:apk/wolfi/py3.11-jinja2pkg:apk/wolfi/py3.12-jinja2pkg:apk/wolfi/py3.13-jinja2pkg:apk/wolfi/py3-jinja2pkg:apk/wolfi/py3-supported-jinja2pkg:apk/wolfi/pytorchpkg:apk/wolfi/reflexpkg:pypi/jinja2pkg:rpm/almalinux/babelpkg:rpm/almalinux/fence-agents-aliyunpkg:rpm/almalinux/fence-agents-allpkg:rpm/almalinux/fence-agents-amt-wspkg:rpm/almalinux/fence-agents-apcpkg:rpm/almalinux/fence-agents-apc-snmppkg:rpm/almalinux/fence-agents-awspkg:rpm/almalinux/fence-agents-azure-armpkg:rpm/almalinux/fence-agents-bladecenterpkg:rpm/almalinux/fence-agents-brocadepkg:rpm/almalinux/fence-agents-cisco-mdspkg:rpm/almalinux/fence-agents-cisco-ucspkg:rpm/almalinux/fence-agents-commonpkg:rpm/almalinux/fence-agents-computepkg:rpm/almalinux/fence-agents-drac5pkg:rpm/almalinux/fence-agents-eaton-snmppkg:rpm/almalinux/fence-agents-emersonpkg:rpm/almalinux/fence-agents-epspkg:rpm/almalinux/fence-agents-gcepkg:rpm/almalinux/fence-agents-heuristics-pingpkg:rpm/almalinux/fence-agents-hpbladepkg:rpm/almalinux/fence-agents-ibmbladepkg:rpm/almalinux/fence-agents-ibm-powervspkg:rpm/almalinux/fence-agents-ibm-vpcpkg:rpm/almalinux/fence-agents-ifmibpkg:rpm/almalinux/fence-agents-ilo2pkg:rpm/almalinux/fence-agents-ilo-moonshotpkg:rpm/almalinux/fence-agents-ilo-mppkg:rpm/almalinux/fence-agents-ilo-sshpkg:rpm/almalinux/fence-agents-intelmodularpkg:rpm/almalinux/fence-agents-ipdupkg:rpm/almalinux/fence-agents-ipmilanpkg:rpm/almalinux/fence-agents-kdumppkg:rpm/almalinux/fence-agents-kubevirtpkg:rpm/almalinux/fence-agents-lparpkg:rpm/almalinux/fence-agents-mpathpkg:rpm/almalinux/fence-agents-openstackpkg:rpm/almalinux/fence-agents-redfishpkg:rpm/almalinux/fence-agents-rhevmpkg:rpm/almalinux/fence-agents-rsapkg:rpm/almalinux/fence-agents-rsbpkg:rpm/almalinux/fence-agents-sbdpkg:rpm/almalinux/fence-agents-scsipkg:rpm/almalinux/fence-agents-virshpkg:rpm/almalinux/fence-agents-vmware-restpkg:rpm/almalinux/fence-agents-vmware-soappkg:rpm/almalinux/fence-agents-wtipkg:rpm/almalinux/fence-agents-zvmpkg:rpm/almalinux/fence-virtpkg:rpm/almalinux/fence-virtdpkg:rpm/almalinux/fence-virtd-cpgpkg:rpm/almalinux/fence-virtd-libvirtpkg:rpm/almalinux/fence-virtd-multicastpkg:rpm/almalinux/fence-virtd-serialpkg:rpm/almalinux/fence-virtd-tcppkg:rpm/almalinux/ha-cloud-supportpkg:rpm/almalinux/python2pkg:rpm/almalinux/python2-attrspkg:rpm/almalinux/python2-babelpkg:rpm/almalinux/python2-backportspkg:rpm/almalinux/python2-backports-ssl_match_hostnamepkg:rpm/almalinux/python2-bsonpkg:rpm/almalinux/python2-chardetpkg:rpm/almalinux/python2-coveragepkg:rpm/almalinux/python2-Cythonpkg:rpm/almalinux/python2-debugpkg:rpm/almalinux/python2-develpkg:rpm/almalinux/python2-dnspkg:rpm/almalinux/python2-docspkg:rpm/almalinux/python2-docs-infopkg:rpm/almalinux/python2-docutilspkg:rpm/almalinux/python2-funcsigspkg:rpm/almalinux/python2-idnapkg:rpm/almalinux/python2-ipaddresspkg:rpm/almalinux/python2-jinja2pkg:rpm/almalinux/python2-libspkg:rpm/almalinux/python2-lxmlpkg:rpm/almalinux/python2-markupsafepkg:rpm/almalinux/python2-mockpkg:rpm/almalinux/python2-nosepkg:rpm/almalinux/python2-numpypkg:rpm/almalinux/python2-numpy-docpkg:rpm/almalinux/python2-numpy-f2pypkg:rpm/almalinux/python2-pippkg:rpm/almalinux/python2-pip-wheelpkg:rpm/almalinux/python2-pluggypkg:rpm/almalinux/python2-psycopg2pkg:rpm/almalinux/python2-psycopg2-debugpkg:rpm/almalinux/python2-psycopg2-testspkg:rpm/almalinux/python2-pypkg:rpm/almalinux/python2-pygmentspkg:rpm/almalinux/python2-pymongopkg:rpm/almalinux/python2-pymongo-gridfspkg:rpm/almalinux/python2-PyMySQLpkg:rpm/almalinux/python2-pysockspkg:rpm/almalinux/python2-pytestpkg:rpm/almalinux/python2-pytest-mockpkg:rpm/almalinux/python2-pytzpkg:rpm/almalinux/python2-pyyamlpkg:rpm/almalinux/python2-requestspkg:rpm/almalinux/python2-rpm-macrospkg:rpm/almalinux/python2-scipypkg:rpm/almalinux/python2-setuptoolspkg:rpm/almalinux/python2-setuptools_scmpkg:rpm/almalinux/python2-setuptools-wheelpkg:rpm/almalinux/python2-sixpkg:rpm/almalinux/python2-sqlalchemypkg:rpm/almalinux/python2-testpkg:rpm/almalinux/python2-tkinterpkg:rpm/almalinux/python2-toolspkg:rpm/almalinux/python2-urllib3pkg:rpm/almalinux/python2-virtualenvpkg:rpm/almalinux/python2-wheelpkg:rpm/almalinux/python2-wheel-wheelpkg:rpm/almalinux/python3-jinja2pkg:rpm/almalinux/python-nose-docspkg:rpm/almalinux/python-psycopg2-docpkg:rpm/almalinux/python-sqlalchemy-docpkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Micro%206.0
< 3.0.34-r1+ 153 more
- (no CPE)range: < 3.0.34-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 2.1.2-r3
- (no CPE)range: < 0.3.9-r0
- (no CPE)range: < 3.0.34-r1
- (no CPE)range: < 2.4.0-r0
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 3.1.3-r1
- (no CPE)range: < 2.1.2-r3
- (no CPE)range: < 0.3.9-r0
- (no CPE)range: < 3.1.3
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 4.10.0-62.el9
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 17.4.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.5.0.1-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.0.4-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 4.5.1-5.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 0.28.1-7.module_el8.6.0+3162+01a09e5a
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 1.15.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.14-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.18-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.10-10.module_el8.10.0+3783+2756348e
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 4.2.3-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.23-19.module_el8.6.0+3162+01a09e5a
- (no CPE)range: < 2.0.0-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 9.0.3-19.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 9.0.3-19.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.6.0-8.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-8.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 2.7.5-8.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 2.7.5-8.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 1.5.3-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.2.0-22.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+3162+01a09e5a
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.8.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.6.8-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.4.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.9.0-4.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2017.2-13.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 3.12-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.20.0-4.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 3-38.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.0-22.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 39.0.1-14.module_el8.10.0+3783+2756348e
- (no CPE)range: < 1.15.7-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 39.0.1-14.module_el8.10.0+3783+2756348e
- (no CPE)range: < 1.11.0-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 2.7.18-17.module_el8.10.0+3783+2756348e.alma
- (no CPE)range: < 1.24.2-4.module_el8.10.0+3783+2756348e
- (no CPE)range: < 15.1.0-22.module_el8.10.0+3783+2756348e
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.11.3-5.el9
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-8.module_el8.9.0+3640+8d3927b5
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 3.1.2-150400.12.6.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 3.1.3-1.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 2.10.1-150000.3.13.1
- (no CPE)range: < 3.1.2-150400.12.6.1
- (no CPE)range: < 3.1.2-150400.12.6.1
- (no CPE)range: < 3.1.2-6.1
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-h5c8-rqwp-cp95ghsaADVISORY
- github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-22195ghsaADVISORY
- github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7ghsaWEB
- github.com/pallets/jinja/releases/tag/3.1.3nvdRelease NotesWEB
- lists.debian.org/debian-lts-announce/2024/01/msg00010.htmlnvdWEB
- lists.debian.org/debian-lts-announce/2024/12/msg00009.htmlnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3/nvd
News mentions
0No linked articles in our index yet.