# [HIGH] Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) **Source:** Snyk **Published:** 2024-01-18 **Article:** https://snyk.io/blog/jinja2-xss-vulnerability/ ## Threat Profile Snyk Blog In this article Written by Liran Tal January 18, 2024 0 mins read On January 11th, 2024, a significant security vulnerability was disclosed in Jinja2, a widely used Python templating library. Identified as CVE-2024-22195, this cross-site scripting (XSS) vulnerability has raised concerns due to its impact on numerous projects. Jinja2 boasts over 33 million weekly downloads, nearly 10,000 GitHub stars, and over 90,000 dependent projects. The vulnerability affects all versions prior to 3… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2024-22195` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1592.002** — Gather Victim Host Information: Software - **T1059.007** — Command and Scripting Interpreter: JavaScript ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable Jinja2 < 3.1.3 inventory pivot for CVE-2024-22195 (xmlattr XSS) `UC_1295_2` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve="CVE-2024-22195" by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.severity Vulnerabilities.cve Vulnerabilities.vendor_product _time | `drop_dm_object_name(Vulnerabilities)` | eval app="jinja2" | sort 0 - _time | table _time dest signature severity cve vendor_product app ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where Timestamp > ago(30d) | where CveId =~ "CVE-2024-22195" or (SoftwareName =~ "jinja2" and SoftwareVendor has_any ("pallets", "python")) | where SoftwareName =~ "jinja2" | join kind=leftouter ( DeviceInfo | where Timestamp > ago(30d) | summarize arg_max(Timestamp, IsInternetFacing, OSPlatform, MachineGroup) by DeviceId ) on DeviceId | project Timestamp, DeviceId, DeviceName, OSPlatform, MachineGroup, IsInternetFacing, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | order by IsInternetFacing desc, DeviceName asc ``` ### Jinja2 xmlattr XSS exploitation attempt in HTTP request parameters (CVE-2024-22195) `UC_1295_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count from datamodel=Web.Web where (Web.url="*onerror=*" OR Web.url="*onload=*" OR Web.url="*onclick=*" OR Web.url="*onmouseover=*" OR Web.url="*onfocus=*" OR Web.url="*onsubmit=*") by Web.src Web.dest Web.url Web.http_method Web.status Web.user_agent _time | `drop_dm_object_name(Web)` | eval decoded_url=urldecode(url) | regex decoded_url="(?i)\s+(?:onerror|onload|onclick|onmouseover|onfocus|onsubmit|onmouseout)\s*=" | eval cve="CVE-2024-22195", signature="Jinja2 xmlattr XSS attempt" | table _time src dest url decoded_url http_method status user_agent signature cve ``` ### Article-specific behavioural hunt — Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) `UC_1295_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("j2_xmlattr.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/private/tmp/py1...*" OR Filesystem.file_path="*/private/tmp/py1*" OR Filesystem.file_name IN ("j2_xmlattr.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("j2_xmlattr.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/private/tmp/py1...", "/private/tmp/py1") or FileName in~ ("j2_xmlattr.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2024-22195` ## Why this matters Severity classified as **HIGH** based on: CVE present, 4 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.