ALPINE-CVE-2024-22195
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 11 Jan 2024, 03:15
Last modified:03 Dec 2025, 22:55
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
6.1 MEDIUM
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Jan 2024, 03:15
Published
Vulnerability first disclosed
03 Dec 2025, 22:55
Last Modified
Vulnerability information updated
Description
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Systems
- alpine•py3-jinja2
< 3.1.4-r0 | < 3.1.4-r0 | < 3.1.4-r0 | < 3.1.3-r0 | < 3.1.3-r0 | < 3.1.3-r0 | < 3.1.3-r0