Support Content Notification - Support Portal

USN-6787-1: Jinja2 vulnerability

Product/Component

Operations Manager

0 more products

Notification Id

24731

Last Updated

22 August 2024

Initial Publication Date

22 August 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2024-34064

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 16.04
Operations Manager Image 2.10

Description

It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting (XSS) attack. Update Instructions: Run `sudo pro fix USN-6787-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python-jinja2 - 2.8-1ubuntu0.1+esm3 python-jinja2-doc - 2.8-1ubuntu0.1+esm3 python3-jinja2 - 2.8-1ubuntu0.1+esm3 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

Operation Manager

3.0.30+LTS-T or greater

Operations Manager Image

3.0.30+LTS-T or greater

References

https://ubuntu.com/security/notices/USN-6787-1

https://www.cloudfoundry.org/blog/usn-6787-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6787-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24731

History

2024-05-28: Initial vulnerability report published.