python310-Jinja2-3.1.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13581-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-Jinja2-3.1.3-1.1 on GA media These are all security issues fixed in the python310-Jinja2-3.1.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13581 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-22195/ SUSE CVE CVE-2024-22195 page openSUSE Tumbleweed python310-Jinja2-3.1.3-1.1 python311-Jinja2-3.1.3-1.1 python39-Jinja2-3.1.3-1.1 python310-Jinja2-3.1.3-1.1 as a component of openSUSE Tumbleweed python311-Jinja2-3.1.3-1.1 as a component of openSUSE Tumbleweed python39-Jinja2-3.1.3-1.1 as a component of openSUSE Tumbleweed Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. CVE-2024-22195 openSUSE Tumbleweed:python310-Jinja2-3.1.3-1.1 openSUSE Tumbleweed:python311-Jinja2-3.1.3-1.1 openSUSE Tumbleweed:python39-Jinja2-3.1.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22195.html CVE-2024-22195 https://bugzilla.suse.com/1218722 SUSE Bug 1218722 https://bugzilla.suse.com/1223980 SUSE Bug 1223980