Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-6802 (GCVE-0-2020-6802)
Vulnerability from cvelistv5
Published
2020-03-24 21:13
Modified
2024-08-04 09:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- mutation XSS
Summary
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Mozilla Bleach |
Version: <=3.10 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:11:05.145Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "name": "FEDORA-2020-827b677e15", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "name": "FEDORA-2020-e1fa96c506", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "name": "FEDORA-2020-e9c8bdd1e3", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mozilla Bleach", "vendor": "n/a", "versions": [ { "status": "affected", "version": "\u003c=3.10" } ] } ], "descriptions": [ { "lang": "en", "value": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option." } ], "problemTypes": [ { "descriptions": [ { "description": "mutation XSS", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-30T21:22:51", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "name": "FEDORA-2020-827b677e15", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "name": "FEDORA-2020-e1fa96c506", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "name": "FEDORA-2020-e9c8bdd1e3", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "tags": [ "x_refsource_MISC" ], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-6802", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mozilla Bleach", "version": { "version_data": [ { "version_value": "\u003c=3.10" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "mutation XSS" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", "refsource": "MISC", "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "name": "FEDORA-2020-827b677e15", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "name": "FEDORA-2020-e1fa96c506", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "name": "FEDORA-2020-e9c8bdd1e3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "name": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach", "refsource": "MISC", "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "name": "https://advisory.checkmarx.net/advisory/CX-2020-4276", "refsource": "MISC", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ] } } } }, "cveMetadata": { "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2020-6802", "datePublished": "2020-03-24T21:13:04", "dateReserved": "2020-01-10T00:00:00", "dateUpdated": "2024-08-04T09:11:05.145Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-6802\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2020-03-24T22:15:12.563\",\"lastModified\":\"2024-11-21T05:36:12.560\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.\"},{\"lang\":\"es\",\"value\":\"En Mozilla Bleach versiones anteriores a 3.11, una mutaci\u00f3n de XSS afecta a usuarios que llaman a bleach.clean con noscript y una etiqueta sin procesar en la opci\u00f3n de etiquetas allowed/whitelisted.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.1.1\",\"matchCriteriaId\":\"6DCA9D24-5EEF-40F9-9089-4E603FB3A8F3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}],\"references\":[{\"url\":\"https://advisory.checkmarx.net/advisory/CX-2020-4276\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/\",\"source\":\"security@mozilla.org\"},{\"url\":\"https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://advisory.checkmarx.net/advisory/CX-2020-4276\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}" } }
fkie_cve-2020-6802
Vulnerability from fkie_nvd
Published
2020-03-24 22:15
Modified
2024-11-21 05:36
Severity ?
Summary
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
References
▶ | URL | Tags | |
---|---|---|---|
security@mozilla.org | https://advisory.checkmarx.net/advisory/CX-2020-4276 | Exploit, Third Party Advisory | |
security@mozilla.org | https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r | Third Party Advisory | |
security@mozilla.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/ | ||
security@mozilla.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/ | ||
security@mozilla.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/ | ||
security@mozilla.org | https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://advisory.checkmarx.net/advisory/CX-2020-4276 | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/ | ||
af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/ | ||
af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/ | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach | Exploit, Third Party Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
mozilla | bleach | * | |
fedoraproject | fedora | 30 | |
fedoraproject | fedora | 31 | |
fedoraproject | fedora | 32 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DCA9D24-5EEF-40F9-9089-4E603FB3A8F3", "versionEndExcluding": "3.1.1", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option." }, { "lang": "es", "value": "En Mozilla Bleach versiones anteriores a 3.11, una mutaci\u00f3n de XSS afecta a usuarios que llaman a bleach.clean con noscript y una etiqueta sin procesar en la opci\u00f3n de etiquetas allowed/whitelisted." } ], "id": "CVE-2020-6802", "lastModified": "2024-11-21T05:36:12.560", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-03-24T22:15:12.563", "references": [ { "source": "security@mozilla.org", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" }, { "source": "security@mozilla.org", "tags": [ "Third Party Advisory" ], "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "source": "security@mozilla.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "source": "security@mozilla.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "source": "security@mozilla.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "source": "security@mozilla.org", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" } ], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
pysec-2020-27
Vulnerability from pysec
Published
2020-03-24 22:15
Modified
2021-03-30 22:15
Details
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Impacted products
Name | purl | bleach | pkg:pypi/bleach |
---|
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "bleach", "purl": "pkg:pypi/bleach" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.1.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "0.1", "0.1.1", "0.1.2", "0.2", "0.2.1", "0.2.2", "0.3", "0.3.1", "0.3.3", "0.3.4", "0.5.0", "0.5.1", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.2", "1.2.1", "1.2.2", "1.4", "1.4.1", "1.4.2", "1.4.3", "1.5.0", "2.0.0", "2.1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "3.0.0", "3.0.1", "3.0.2", "3.1.0" ] } ], "aliases": [ "CVE-2020-6802", "GHSA-q65m-pv3f-wr5r" ], "details": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "id": "PYSEC-2020-27", "modified": "2021-03-30T22:15:00Z", "published": "2020-03-24T22:15:00Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "type": "ARTICLE", "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "type": "ADVISORY", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ] }
opensuse-su-2020:0308-1
Vulnerability from csaf_opensuse
Published
2020-03-07 09:14
Modified
2020-03-07 09:14
Summary
Security update for python-bleach
Notes
Title of the patch
Security update for python-bleach
Description of the patch
This update for python-bleach to version 3.1.1 fixes the following issue:
- Python-bleach was updated to 3.1.1
- CVE-2020-6802: Fixed mutation XSS vulnerabilities (boo#1165303).
Patchnames
openSUSE-2020-308
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for python-bleach", "title": "Title of the patch" }, { "category": "description", "text": "This update for python-bleach to version 3.1.1 fixes the following issue:\n\n- Python-bleach was updated to 3.1.1\n- CVE-2020-6802: Fixed mutation XSS vulnerabilities (boo#1165303).\n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2020-308", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0308-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2020:0308-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42YYAZLSUO2H6HI5G3EGIRCDDAHTGJGK/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2020:0308-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42YYAZLSUO2H6HI5G3EGIRCDDAHTGJGK/" }, { "category": "self", "summary": "SUSE Bug 1165303", "url": "https://bugzilla.suse.com/1165303" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6802 page", "url": "https://www.suse.com/security/cve/CVE-2020-6802/" } ], "title": "Security update for python-bleach", "tracking": { "current_release_date": "2020-03-07T09:14:37Z", "generator": { "date": "2020-03-07T09:14:37Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2020:0308-1", "initial_release_date": "2020-03-07T09:14:37Z", "revision_history": [ { "date": "2020-03-07T09:14:37Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "python2-bleach-3.1.1-lp151.3.6.1.noarch", "product": { "name": "python2-bleach-3.1.1-lp151.3.6.1.noarch", "product_id": "python2-bleach-3.1.1-lp151.3.6.1.noarch" } }, { "category": "product_version", "name": "python3-bleach-3.1.1-lp151.3.6.1.noarch", "product": { "name": "python3-bleach-3.1.1-lp151.3.6.1.noarch", "product_id": "python3-bleach-3.1.1-lp151.3.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "openSUSE Leap 15.1", "product": { "name": "openSUSE Leap 15.1", "product_id": "openSUSE Leap 15.1", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.1" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python2-bleach-3.1.1-lp151.3.6.1.noarch as component of openSUSE Leap 15.1", "product_id": "openSUSE Leap 15.1:python2-bleach-3.1.1-lp151.3.6.1.noarch" }, "product_reference": "python2-bleach-3.1.1-lp151.3.6.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.1" }, { "category": "default_component_of", "full_product_name": { "name": "python3-bleach-3.1.1-lp151.3.6.1.noarch as component of openSUSE Leap 15.1", "product_id": "openSUSE Leap 15.1:python3-bleach-3.1.1-lp151.3.6.1.noarch" }, "product_reference": "python3-bleach-3.1.1-lp151.3.6.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-6802", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6802" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.1:python2-bleach-3.1.1-lp151.3.6.1.noarch", "openSUSE Leap 15.1:python3-bleach-3.1.1-lp151.3.6.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6802", "url": "https://www.suse.com/security/cve/CVE-2020-6802" }, { "category": "external", "summary": "SUSE Bug 1165303 for CVE-2020-6802", "url": "https://bugzilla.suse.com/1165303" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.1:python2-bleach-3.1.1-lp151.3.6.1.noarch", "openSUSE Leap 15.1:python3-bleach-3.1.1-lp151.3.6.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Leap 15.1:python2-bleach-3.1.1-lp151.3.6.1.noarch", "openSUSE Leap 15.1:python3-bleach-3.1.1-lp151.3.6.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2020-03-07T09:14:37Z", "details": "moderate" } ], "title": "CVE-2020-6802" } ] }
opensuse-su-2024:11507-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
weblate-4.8.1-1.1 on GA media
Notes
Title of the patch
weblate-4.8.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the weblate-4.8.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11507
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "weblate-4.8.1-1.1 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the weblate-4.8.1-1.1 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-11507", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11507-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6802 page", "url": "https://www.suse.com/security/cve/CVE-2020-6802/" } ], "title": "weblate-4.8.1-1.1 on GA media", "tracking": { "current_release_date": "2024-06-15T00:00:00Z", "generator": { "date": "2024-06-15T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:11507-1", "initial_release_date": "2024-06-15T00:00:00Z", "revision_history": [ { "date": "2024-06-15T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "weblate-4.8.1-1.1.aarch64", "product": { "name": "weblate-4.8.1-1.1.aarch64", "product_id": "weblate-4.8.1-1.1.aarch64" } }, { "category": "product_version", "name": "weblate-doc-4.8.1-1.1.aarch64", "product": { "name": "weblate-doc-4.8.1-1.1.aarch64", "product_id": "weblate-doc-4.8.1-1.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "weblate-4.8.1-1.1.ppc64le", "product": { "name": "weblate-4.8.1-1.1.ppc64le", "product_id": "weblate-4.8.1-1.1.ppc64le" } }, { "category": "product_version", "name": "weblate-doc-4.8.1-1.1.ppc64le", "product": { "name": "weblate-doc-4.8.1-1.1.ppc64le", "product_id": "weblate-doc-4.8.1-1.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "weblate-4.8.1-1.1.s390x", "product": { "name": "weblate-4.8.1-1.1.s390x", "product_id": "weblate-4.8.1-1.1.s390x" } }, { "category": "product_version", "name": "weblate-doc-4.8.1-1.1.s390x", "product": { "name": "weblate-doc-4.8.1-1.1.s390x", "product_id": "weblate-doc-4.8.1-1.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "weblate-4.8.1-1.1.x86_64", "product": { "name": "weblate-4.8.1-1.1.x86_64", "product_id": "weblate-4.8.1-1.1.x86_64" } }, { "category": "product_version", "name": "weblate-doc-4.8.1-1.1.x86_64", "product": { "name": "weblate-doc-4.8.1-1.1.x86_64", "product_id": "weblate-doc-4.8.1-1.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "weblate-4.8.1-1.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-4.8.1-1.1.aarch64" }, "product_reference": "weblate-4.8.1-1.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-4.8.1-1.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-4.8.1-1.1.ppc64le" }, "product_reference": "weblate-4.8.1-1.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-4.8.1-1.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-4.8.1-1.1.s390x" }, "product_reference": "weblate-4.8.1-1.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-4.8.1-1.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-4.8.1-1.1.x86_64" }, "product_reference": "weblate-4.8.1-1.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-doc-4.8.1-1.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.aarch64" }, "product_reference": "weblate-doc-4.8.1-1.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-doc-4.8.1-1.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.ppc64le" }, "product_reference": "weblate-doc-4.8.1-1.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-doc-4.8.1-1.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.s390x" }, "product_reference": "weblate-doc-4.8.1-1.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "weblate-doc-4.8.1-1.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.x86_64" }, "product_reference": "weblate-doc-4.8.1-1.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-6802", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6802" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:weblate-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-4.8.1-1.1.x86_64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6802", "url": "https://www.suse.com/security/cve/CVE-2020-6802" }, { "category": "external", "summary": "SUSE Bug 1165303 for CVE-2020-6802", "url": "https://bugzilla.suse.com/1165303" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:weblate-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-4.8.1-1.1.x86_64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:weblate-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-4.8.1-1.1.x86_64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.aarch64", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.ppc64le", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.s390x", "openSUSE Tumbleweed:weblate-doc-4.8.1-1.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2020-6802" } ] }
opensuse-su-2020:0325-1
Vulnerability from csaf_opensuse
Published
2020-03-09 14:18
Modified
2020-03-09 14:18
Summary
Security update for python-bleach
Notes
Title of the patch
Security update for python-bleach
Description of the patch
This update for python-bleach to version 3.1.1 fixes the following issue:
- Python-bleach was updated to 3.1.1
- CVE-2020-6802: Fixed mutation XSS vulnerabilities (boo#1165303).
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patchnames
openSUSE-2020-325
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for python-bleach", "title": "Title of the patch" }, { "category": "description", "text": "This update for python-bleach to version 3.1.1 fixes the following issue:\n\n- Python-bleach was updated to 3.1.1\n- CVE-2020-6802: Fixed mutation XSS vulnerabilities (boo#1165303).\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2020-325", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0325-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2020:0325-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FWUX2BHDV6ER4EK7BZ3BABNQIAP7B2N2/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2020:0325-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FWUX2BHDV6ER4EK7BZ3BABNQIAP7B2N2/" }, { "category": "self", "summary": "SUSE Bug 1165303", "url": "https://bugzilla.suse.com/1165303" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6802 page", "url": "https://www.suse.com/security/cve/CVE-2020-6802/" } ], "title": "Security update for python-bleach", "tracking": { "current_release_date": "2020-03-09T14:18:04Z", "generator": { "date": "2020-03-09T14:18:04Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2020:0325-1", "initial_release_date": "2020-03-09T14:18:04Z", "revision_history": [ { "date": "2020-03-09T14:18:04Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "python2-bleach-3.1.1-bp151.4.4.1.noarch", "product": { "name": "python2-bleach-3.1.1-bp151.4.4.1.noarch", "product_id": "python2-bleach-3.1.1-bp151.4.4.1.noarch" } }, { "category": "product_version", "name": "python3-bleach-3.1.1-bp151.4.4.1.noarch", "product": { "name": "python3-bleach-3.1.1-bp151.4.4.1.noarch", "product_id": "python3-bleach-3.1.1-bp151.4.4.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "SUSE Package Hub 15 SP1", "product": { "name": "SUSE Package Hub 15 SP1", "product_id": "SUSE Package Hub 15 SP1" } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python2-bleach-3.1.1-bp151.4.4.1.noarch as component of SUSE Package Hub 15 SP1", "product_id": "SUSE Package Hub 15 SP1:python2-bleach-3.1.1-bp151.4.4.1.noarch" }, "product_reference": "python2-bleach-3.1.1-bp151.4.4.1.noarch", "relates_to_product_reference": "SUSE Package Hub 15 SP1" }, { "category": "default_component_of", "full_product_name": { "name": "python3-bleach-3.1.1-bp151.4.4.1.noarch as component of SUSE Package Hub 15 SP1", "product_id": "SUSE Package Hub 15 SP1:python3-bleach-3.1.1-bp151.4.4.1.noarch" }, "product_reference": "python3-bleach-3.1.1-bp151.4.4.1.noarch", "relates_to_product_reference": "SUSE Package Hub 15 SP1" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-6802", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6802" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP1:python2-bleach-3.1.1-bp151.4.4.1.noarch", "SUSE Package Hub 15 SP1:python3-bleach-3.1.1-bp151.4.4.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6802", "url": "https://www.suse.com/security/cve/CVE-2020-6802" }, { "category": "external", "summary": "SUSE Bug 1165303 for CVE-2020-6802", "url": "https://bugzilla.suse.com/1165303" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP1:python2-bleach-3.1.1-bp151.4.4.1.noarch", "SUSE Package Hub 15 SP1:python3-bleach-3.1.1-bp151.4.4.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP1:python2-bleach-3.1.1-bp151.4.4.1.noarch", "SUSE Package Hub 15 SP1:python3-bleach-3.1.1-bp151.4.4.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2020-03-09T14:18:04Z", "details": "moderate" } ], "title": "CVE-2020-6802" } ] }
opensuse-su-2024:14134-1
Vulnerability from csaf_opensuse
Published
2024-07-12 00:00
Modified
2024-07-12 00:00
Summary
python310-bleach-6.1.0-1.5 on GA media
Notes
Title of the patch
python310-bleach-6.1.0-1.5 on GA media
Description of the patch
These are all security issues fixed in the python310-bleach-6.1.0-1.5 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14134
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "python310-bleach-6.1.0-1.5 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the python310-bleach-6.1.0-1.5 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-14134", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14134-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2018-7753 page", "url": "https://www.suse.com/security/cve/CVE-2018-7753/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6802 page", "url": "https://www.suse.com/security/cve/CVE-2020-6802/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6816 page", "url": "https://www.suse.com/security/cve/CVE-2020-6816/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6817 page", "url": "https://www.suse.com/security/cve/CVE-2020-6817/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-23980 page", "url": "https://www.suse.com/security/cve/CVE-2021-23980/" } ], "title": "python310-bleach-6.1.0-1.5 on GA media", "tracking": { "current_release_date": "2024-07-12T00:00:00Z", "generator": { "date": "2024-07-12T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:14134-1", "initial_release_date": "2024-07-12T00:00:00Z", "revision_history": [ { "date": "2024-07-12T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "python310-bleach-6.1.0-1.5.aarch64", "product": { "name": "python310-bleach-6.1.0-1.5.aarch64", "product_id": "python310-bleach-6.1.0-1.5.aarch64" } }, { "category": "product_version", "name": "python311-bleach-6.1.0-1.5.aarch64", "product": { "name": "python311-bleach-6.1.0-1.5.aarch64", "product_id": "python311-bleach-6.1.0-1.5.aarch64" } }, { "category": "product_version", "name": "python312-bleach-6.1.0-1.5.aarch64", "product": { "name": "python312-bleach-6.1.0-1.5.aarch64", "product_id": "python312-bleach-6.1.0-1.5.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "python310-bleach-6.1.0-1.5.ppc64le", "product": { "name": "python310-bleach-6.1.0-1.5.ppc64le", "product_id": "python310-bleach-6.1.0-1.5.ppc64le" } }, { "category": "product_version", "name": "python311-bleach-6.1.0-1.5.ppc64le", "product": { "name": "python311-bleach-6.1.0-1.5.ppc64le", "product_id": "python311-bleach-6.1.0-1.5.ppc64le" } }, { "category": "product_version", "name": "python312-bleach-6.1.0-1.5.ppc64le", "product": { "name": "python312-bleach-6.1.0-1.5.ppc64le", "product_id": "python312-bleach-6.1.0-1.5.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "python310-bleach-6.1.0-1.5.s390x", "product": { "name": "python310-bleach-6.1.0-1.5.s390x", "product_id": "python310-bleach-6.1.0-1.5.s390x" } }, { "category": "product_version", "name": "python311-bleach-6.1.0-1.5.s390x", "product": { "name": "python311-bleach-6.1.0-1.5.s390x", "product_id": "python311-bleach-6.1.0-1.5.s390x" } }, { "category": "product_version", "name": "python312-bleach-6.1.0-1.5.s390x", "product": { "name": "python312-bleach-6.1.0-1.5.s390x", "product_id": "python312-bleach-6.1.0-1.5.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "python310-bleach-6.1.0-1.5.x86_64", "product": { "name": "python310-bleach-6.1.0-1.5.x86_64", "product_id": "python310-bleach-6.1.0-1.5.x86_64" } }, { "category": "product_version", "name": "python311-bleach-6.1.0-1.5.x86_64", "product": { "name": "python311-bleach-6.1.0-1.5.x86_64", "product_id": "python311-bleach-6.1.0-1.5.x86_64" } }, { "category": "product_version", "name": "python312-bleach-6.1.0-1.5.x86_64", "product": { "name": "python312-bleach-6.1.0-1.5.x86_64", "product_id": "python312-bleach-6.1.0-1.5.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python310-bleach-6.1.0-1.5.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64" }, "product_reference": "python310-bleach-6.1.0-1.5.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python310-bleach-6.1.0-1.5.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le" }, "product_reference": "python310-bleach-6.1.0-1.5.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python310-bleach-6.1.0-1.5.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x" }, "product_reference": "python310-bleach-6.1.0-1.5.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python310-bleach-6.1.0-1.5.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64" }, "product_reference": "python310-bleach-6.1.0-1.5.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python311-bleach-6.1.0-1.5.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64" }, "product_reference": "python311-bleach-6.1.0-1.5.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python311-bleach-6.1.0-1.5.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le" }, "product_reference": "python311-bleach-6.1.0-1.5.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python311-bleach-6.1.0-1.5.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x" }, "product_reference": "python311-bleach-6.1.0-1.5.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python311-bleach-6.1.0-1.5.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64" }, "product_reference": "python311-bleach-6.1.0-1.5.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python312-bleach-6.1.0-1.5.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64" }, "product_reference": "python312-bleach-6.1.0-1.5.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python312-bleach-6.1.0-1.5.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le" }, "product_reference": "python312-bleach-6.1.0-1.5.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python312-bleach-6.1.0-1.5.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x" }, "product_reference": "python312-bleach-6.1.0-1.5.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python312-bleach-6.1.0-1.5.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" }, "product_reference": "python312-bleach-6.1.0-1.5.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-7753", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2018-7753" } ], "notes": [ { "category": "general", "text": "An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren\u0027t properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2018-7753", "url": "https://www.suse.com/security/cve/CVE-2018-7753" }, { "category": "external", "summary": "SUSE Bug 1085969 for CVE-2018-7753", "url": "https://bugzilla.suse.com/1085969" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-07-12T00:00:00Z", "details": "critical" } ], "title": "CVE-2018-7753" }, { "cve": "CVE-2020-6802", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6802" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6802", "url": "https://www.suse.com/security/cve/CVE-2020-6802" }, { "category": "external", "summary": "SUSE Bug 1165303 for CVE-2020-6802", "url": "https://bugzilla.suse.com/1165303" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-07-12T00:00:00Z", "details": "moderate" } ], "title": "CVE-2020-6802" }, { "cve": "CVE-2020-6816", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6816" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6816", "url": "https://www.suse.com/security/cve/CVE-2020-6816" }, { "category": "external", "summary": "SUSE Bug 1167379 for CVE-2020-6816", "url": "https://bugzilla.suse.com/1167379" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-07-12T00:00:00Z", "details": "moderate" } ], "title": "CVE-2020-6816" }, { "cve": "CVE-2020-6817", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6817" } ], "notes": [ { "category": "general", "text": "bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={\u0027a\u0027: [\u0027style\u0027]}).", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6817", "url": "https://www.suse.com/security/cve/CVE-2020-6817" }, { "category": "external", "summary": "SUSE Bug 1168280 for CVE-2020-6817", "url": "https://bugzilla.suse.com/1168280" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-07-12T00:00:00Z", "details": "important" } ], "title": "CVE-2020-6817" }, { "cve": "CVE-2021-23980", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-23980" } ], "notes": [ { "category": "general", "text": "A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-23980", "url": "https://www.suse.com/security/cve/CVE-2021-23980" }, { "category": "external", "summary": "SUSE Bug 1184547 for CVE-2021-23980", "url": "https://bugzilla.suse.com/1184547" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python310-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python311-bleach-6.1.0-1.5.x86_64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.aarch64", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.ppc64le", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.s390x", "openSUSE Tumbleweed:python312-bleach-6.1.0-1.5.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-07-12T00:00:00Z", "details": "moderate" } ], "title": "CVE-2021-23980" } ] }
opensuse-su-2024:11219-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python36-bleach-3.3.0-1.4 on GA media
Notes
Title of the patch
python36-bleach-3.3.0-1.4 on GA media
Description of the patch
These are all security issues fixed in the python36-bleach-3.3.0-1.4 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11219
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "python36-bleach-3.3.0-1.4 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the python36-bleach-3.3.0-1.4 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-11219", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11219-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2018-7753 page", "url": "https://www.suse.com/security/cve/CVE-2018-7753/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6802 page", "url": "https://www.suse.com/security/cve/CVE-2020-6802/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6816 page", "url": "https://www.suse.com/security/cve/CVE-2020-6816/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6817 page", "url": "https://www.suse.com/security/cve/CVE-2020-6817/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-23980 page", "url": "https://www.suse.com/security/cve/CVE-2021-23980/" } ], "title": "python36-bleach-3.3.0-1.4 on GA media", "tracking": { "current_release_date": "2024-06-15T00:00:00Z", "generator": { "date": "2024-06-15T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:11219-1", "initial_release_date": "2024-06-15T00:00:00Z", "revision_history": [ { "date": "2024-06-15T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "python36-bleach-3.3.0-1.4.aarch64", "product": { "name": "python36-bleach-3.3.0-1.4.aarch64", "product_id": "python36-bleach-3.3.0-1.4.aarch64" } }, { "category": "product_version", "name": "python38-bleach-3.3.0-1.4.aarch64", "product": { "name": "python38-bleach-3.3.0-1.4.aarch64", "product_id": "python38-bleach-3.3.0-1.4.aarch64" } }, { "category": "product_version", "name": "python39-bleach-3.3.0-1.4.aarch64", "product": { "name": "python39-bleach-3.3.0-1.4.aarch64", "product_id": "python39-bleach-3.3.0-1.4.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "python36-bleach-3.3.0-1.4.ppc64le", "product": { "name": "python36-bleach-3.3.0-1.4.ppc64le", "product_id": "python36-bleach-3.3.0-1.4.ppc64le" } }, { "category": "product_version", "name": "python38-bleach-3.3.0-1.4.ppc64le", "product": { "name": "python38-bleach-3.3.0-1.4.ppc64le", "product_id": "python38-bleach-3.3.0-1.4.ppc64le" } }, { "category": "product_version", "name": "python39-bleach-3.3.0-1.4.ppc64le", "product": { "name": "python39-bleach-3.3.0-1.4.ppc64le", "product_id": "python39-bleach-3.3.0-1.4.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "python36-bleach-3.3.0-1.4.s390x", "product": { "name": "python36-bleach-3.3.0-1.4.s390x", "product_id": "python36-bleach-3.3.0-1.4.s390x" } }, { "category": "product_version", "name": "python38-bleach-3.3.0-1.4.s390x", "product": { "name": "python38-bleach-3.3.0-1.4.s390x", "product_id": "python38-bleach-3.3.0-1.4.s390x" } }, { "category": "product_version", "name": "python39-bleach-3.3.0-1.4.s390x", "product": { "name": "python39-bleach-3.3.0-1.4.s390x", "product_id": "python39-bleach-3.3.0-1.4.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "python36-bleach-3.3.0-1.4.x86_64", "product": { "name": "python36-bleach-3.3.0-1.4.x86_64", "product_id": "python36-bleach-3.3.0-1.4.x86_64" } }, { "category": "product_version", "name": "python38-bleach-3.3.0-1.4.x86_64", "product": { "name": "python38-bleach-3.3.0-1.4.x86_64", "product_id": "python38-bleach-3.3.0-1.4.x86_64" } }, { "category": "product_version", "name": "python39-bleach-3.3.0-1.4.x86_64", "product": { "name": "python39-bleach-3.3.0-1.4.x86_64", "product_id": "python39-bleach-3.3.0-1.4.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python36-bleach-3.3.0-1.4.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64" }, "product_reference": "python36-bleach-3.3.0-1.4.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python36-bleach-3.3.0-1.4.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le" }, "product_reference": "python36-bleach-3.3.0-1.4.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python36-bleach-3.3.0-1.4.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x" }, "product_reference": "python36-bleach-3.3.0-1.4.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python36-bleach-3.3.0-1.4.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64" }, "product_reference": "python36-bleach-3.3.0-1.4.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python38-bleach-3.3.0-1.4.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64" }, "product_reference": "python38-bleach-3.3.0-1.4.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python38-bleach-3.3.0-1.4.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le" }, "product_reference": "python38-bleach-3.3.0-1.4.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python38-bleach-3.3.0-1.4.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x" }, "product_reference": "python38-bleach-3.3.0-1.4.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python38-bleach-3.3.0-1.4.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64" }, "product_reference": "python38-bleach-3.3.0-1.4.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python39-bleach-3.3.0-1.4.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64" }, "product_reference": "python39-bleach-3.3.0-1.4.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python39-bleach-3.3.0-1.4.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le" }, "product_reference": "python39-bleach-3.3.0-1.4.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python39-bleach-3.3.0-1.4.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x" }, "product_reference": "python39-bleach-3.3.0-1.4.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "python39-bleach-3.3.0-1.4.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" }, "product_reference": "python39-bleach-3.3.0-1.4.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-7753", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2018-7753" } ], "notes": [ { "category": "general", "text": "An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren\u0027t properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2018-7753", "url": "https://www.suse.com/security/cve/CVE-2018-7753" }, { "category": "external", "summary": "SUSE Bug 1085969 for CVE-2018-7753", "url": "https://bugzilla.suse.com/1085969" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "critical" } ], "title": "CVE-2018-7753" }, { "cve": "CVE-2020-6802", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6802" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6802", "url": "https://www.suse.com/security/cve/CVE-2020-6802" }, { "category": "external", "summary": "SUSE Bug 1165303 for CVE-2020-6802", "url": "https://bugzilla.suse.com/1165303" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2020-6802" }, { "cve": "CVE-2020-6816", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6816" } ], "notes": [ { "category": "general", "text": "In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6816", "url": "https://www.suse.com/security/cve/CVE-2020-6816" }, { "category": "external", "summary": "SUSE Bug 1167379 for CVE-2020-6816", "url": "https://bugzilla.suse.com/1167379" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2020-6816" }, { "cve": "CVE-2020-6817", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6817" } ], "notes": [ { "category": "general", "text": "bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={\u0027a\u0027: [\u0027style\u0027]}).", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6817", "url": "https://www.suse.com/security/cve/CVE-2020-6817" }, { "category": "external", "summary": "SUSE Bug 1168280 for CVE-2020-6817", "url": "https://bugzilla.suse.com/1168280" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "important" } ], "title": "CVE-2020-6817" }, { "cve": "CVE-2021-23980", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-23980" } ], "notes": [ { "category": "general", "text": "A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-23980", "url": "https://www.suse.com/security/cve/CVE-2021-23980" }, { "category": "external", "summary": "SUSE Bug 1184547 for CVE-2021-23980", "url": "https://bugzilla.suse.com/1184547" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python36-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python38-bleach-3.3.0-1.4.x86_64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.aarch64", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.ppc64le", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.s390x", "openSUSE Tumbleweed:python39-bleach-3.3.0-1.4.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2021-23980" } ] }
gsd-2020-6802
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2020-6802", "description": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "id": "GSD-2020-6802", "references": [ "https://www.suse.com/security/cve/CVE-2020-6802.html", "https://www.debian.org/security/2020/dsa-4636", "https://advisories.mageia.org/CVE-2020-6802.html" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2020-6802" ], "details": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.", "id": "GSD-2020-6802", "modified": "2023-12-13T01:21:55.249603Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-6802", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mozilla Bleach", "version": { "version_data": [ { "version_value": "\u003c=3.10" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "mutation XSS" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", "refsource": "MISC", "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "name": "FEDORA-2020-827b677e15", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "name": "FEDORA-2020-e1fa96c506", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "name": "FEDORA-2020-e9c8bdd1e3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "name": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach", "refsource": "MISC", "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "name": "https://advisory.checkmarx.net/advisory/CX-2020-4276", "refsource": "MISC", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c3.1.1", "affected_versions": "All versions before 3.1.1", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937" ], "date": "2021-03-30", "description": "In Mozilla Bleach, a mutation XSS affects users calling `bleach.clean` with `noscript`.", "fixed_versions": [ "3.1.1" ], "identifier": "CVE-2020-6802", "identifiers": [ "CVE-2020-6802", "GHSA-q65m-pv3f-wr5r" ], "not_impacted": "All versions starting from 3.1.1", "package_slug": "pypi/bleach", "pubdate": "2020-03-24", "solution": "Upgrade to version 3.1.1 or above.", "title": "Cross-site Scripting", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-6802" ], "uuid": "221e187c-3549-40f1-94a3-36e2e44b7f38" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.1.1", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-6802" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-79" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "name": "FEDORA-2020-827b677e15", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/" }, { "name": "FEDORA-2020-e1fa96c506", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/" }, { "name": "FEDORA-2020-e9c8bdd1e3", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/" }, { "name": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" }, { "name": "https://advisory.checkmarx.net/advisory/CX-2020-4276", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7 } }, "lastModifiedDate": "2022-10-06T20:16Z", "publishedDate": "2020-03-24T22:15Z" } } }
ghsa-q65m-pv3f-wr5r
Vulnerability from github
Published
2020-02-24 17:33
Modified
2024-09-13 15:05
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
VLAI Severity ?
Summary
XSS in Bleach when noscript and raw tag whitelisted
Details
Impact
A mutation XSS affects users calling bleach.clean
with noscript
and a raw tag (see below) in the allowed/whitelisted tags option.
Patches
v3.1.1
Workarounds
- modify
bleach.clean
calls to not whitelistnoscript
and one or more of the following raw tags:
title
textarea
script
style
noembed
noframes
iframe
xmp
- A strong Content-Security-Policy without
unsafe-inline
andunsafe-eval
script-src
s) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
- https://cure53.de/fp170.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2020-6802
- https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at security@mozilla.org
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "bleach" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.1.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-6802" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-02-19T19:43:47Z", "nvd_published_at": "2020-03-24T22:15:00Z", "severity": "MODERATE" }, "details": "### Impact\n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with `noscript` and a raw tag (see below) in the allowed/whitelisted tags option.\n\n### Patches\n\nv3.1.1\n\n### Workarounds\n\n* modify `bleach.clean` calls to not whitelist `noscript` and one or more of the following raw tags:\n\n```\ntitle\ntextarea\nscript\nstyle\nnoembed\nnoframes\niframe\nxmp\n```\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1615315\n* https://cure53.de/fp170.pdf\n* https://nvd.nist.gov/vuln/detail/CVE-2020-6802\n* https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)\n", "id": "GHSA-q65m-pv3f-wr5r", "modified": "2024-09-13T15:05:52Z", "published": "2020-02-24T17:33:44Z", "references": [ { "type": "WEB", "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6802" }, { "type": "WEB", "url": "https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd" }, { "type": "WEB", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4276" }, { "type": "WEB", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1615315" }, { "type": "WEB", "url": "https://cure53.de/fp170.pdf" }, { "type": "PACKAGE", "url": "https://github.com/mozilla/bleach" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-27.yaml" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX" }, { "type": "WEB", "url": "https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "type": "CVSS_V4" } ], "summary": "XSS in Bleach when noscript and raw tag whitelisted" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…