csaf_suse - suse-su-2022:0895-1

suse-su-2022:0895-1

Vulnerability from csaf_suse

Published

2022-03-17 14:38

Modified

2022-03-17 14:38

Summary

Security update for python-lxml

Notes

Title of the patch

Security update for python-lxml

Description of the patch

This update for python-lxml fixes the following issues: - CVE-2021-43818: Removed SVG image data URLs since they can embed script content (bsc#1193752). - CVE-2021-28957: Fixed a potential XSS due to improper input sanitization (bsc#1184177). - CVE-2020-27783: Fixed a potential XSS due to improper HTML parsing (bsc#1179534). - CVE-2018-19787: Fixed a potential XSS due to improper input sanitization (bsc#1118088).

Patchnames

HPE-Helion-OpenStack-8-2022-895,SUSE-2022-895,SUSE-OpenStack-Cloud-8-2022-895,SUSE-OpenStack-Cloud-Crowbar-8-2022-895,SUSE-SLE-SERVER-12-SP5-2022-895

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-lxml",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-lxml fixes the following issues:\n\n- CVE-2021-43818: Removed SVG image data URLs since they can embed script\n  content (bsc#1193752).\n- CVE-2021-28957: Fixed a potential XSS due to improper input sanitization (bsc#1184177).\n- CVE-2020-27783: Fixed a potential XSS due to improper HTML parsing (bsc#1179534).\n- CVE-2018-19787: Fixed a potential XSS due to improper input sanitization (bsc#1118088).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "HPE-Helion-OpenStack-8-2022-895,SUSE-2022-895,SUSE-OpenStack-Cloud-8-2022-895,SUSE-OpenStack-Cloud-Crowbar-8-2022-895,SUSE-SLE-SERVER-12-SP5-2022-895",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_0895-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2022:0895-1",
        "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20220895-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2022:0895-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010467.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1118088",
        "url": "https://bugzilla.suse.com/1118088"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1179534",
        "url": "https://bugzilla.suse.com/1179534"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1184177",
        "url": "https://bugzilla.suse.com/1184177"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1193752",
        "url": "https://bugzilla.suse.com/1193752"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-19787 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-19787/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-27783 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-27783/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28957 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28957/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43818 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43818/"
      }
    ],
    "title": "Security update for python-lxml",
    "tracking": {
      "current_release_date": "2022-03-17T14:38:22Z",
      "generator": {
        "date": "2022-03-17T14:38:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2022:0895-1",
      "initial_release_date": "2022-03-17T14:38:22Z",
      "revision_history": [
        {
          "date": "2022-03-17T14:38:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.aarch64",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.aarch64",
                  "product_id": "python-lxml-3.6.1-8.5.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.aarch64",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.aarch64",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.i586",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.i586",
                  "product_id": "python-lxml-3.6.1-8.5.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.i586",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.i586",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-doc-3.6.1-8.5.1.noarch",
                "product": {
                  "name": "python-lxml-doc-3.6.1-8.5.1.noarch",
                  "product_id": "python-lxml-doc-3.6.1-8.5.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.ppc64le",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.ppc64le",
                  "product_id": "python-lxml-3.6.1-8.5.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.ppc64le",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.ppc64le",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.s390",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.s390",
                  "product_id": "python-lxml-3.6.1-8.5.1.s390"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.s390",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.s390",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.s390"
                }
              }
            ],
            "category": "architecture",
            "name": "s390"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.s390x",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.s390x",
                  "product_id": "python-lxml-3.6.1-8.5.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.s390x",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.s390x",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-lxml-3.6.1-8.5.1.x86_64",
                "product": {
                  "name": "python-lxml-3.6.1-8.5.1.x86_64",
                  "product_id": "python-lxml-3.6.1-8.5.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python-lxml-devel-3.6.1-8.5.1.x86_64",
                "product": {
                  "name": "python-lxml-devel-3.6.1-8.5.1.x86_64",
                  "product_id": "python-lxml-devel-3.6.1-8.5.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HPE Helion OpenStack 8",
                "product": {
                  "name": "HPE Helion OpenStack 8",
                  "product_id": "HPE Helion OpenStack 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:hpe-helion-openstack:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 8",
                "product": {
                  "name": "SUSE OpenStack Cloud 8",
                  "product_id": "SUSE OpenStack Cloud 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud Crowbar 8",
                "product": {
                  "name": "SUSE OpenStack Cloud Crowbar 8",
                  "product_id": "SUSE OpenStack Cloud Crowbar 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.x86_64 as component of HPE Helion OpenStack 8",
          "product_id": "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.x86_64",
        "relates_to_product_reference": "HPE Helion OpenStack 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.x86_64 as component of SUSE OpenStack Cloud 8",
          "product_id": "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-lxml-3.6.1-8.5.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64"
        },
        "product_reference": "python-lxml-3.6.1-8.5.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-19787",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-19787"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-19787",
          "url": "https://www.suse.com/security/cve/CVE-2018-19787"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118088 for CVE-2018-19787",
          "url": "https://bugzilla.suse.com/1118088"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-17T14:38:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-19787"
    },
    {
      "cve": "CVE-2020-27783",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-27783"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-27783",
          "url": "https://www.suse.com/security/cve/CVE-2020-27783"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1179534 for CVE-2020-27783",
          "url": "https://bugzilla.suse.com/1179534"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-17T14:38:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-27783"
    },
    {
      "cve": "CVE-2021-28957",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28957"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28957",
          "url": "https://www.suse.com/security/cve/CVE-2021-28957"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184177 for CVE-2021-28957",
          "url": "https://bugzilla.suse.com/1184177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-17T14:38:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-28957"
    },
    {
      "cve": "CVE-2021-43818",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43818"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43818",
          "url": "https://www.suse.com/security/cve/CVE-2021-43818"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193752 for CVE-2021-43818",
          "url": "https://bugzilla.suse.com/1193752"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "HPE Helion OpenStack 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud 8:python-lxml-3.6.1-8.5.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:python-lxml-3.6.1-8.5.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-17T14:38:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-43818"
    }
  ]
}

CVE-2018-19787 (GCVE-0-2018-19787)

Vulnerability from cvelistv5

Published

2018-12-02 10:00

Modified

2024-08-05 11:44

Severity ?

CWE

Summary

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

References

►

URL

Tags

	https://usn.ubuntu.com/3841-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html	mailing-list, x_refsource_MLIST
	https://usn.ubuntu.com/3841-2/	vendor-advisory, x_refsource_UBUNTU
	https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T11:44:20.323Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3841-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3841-1/"
          },
          {
            "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
          },
          {
            "name": "USN-3841-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3841-2/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
          },
          {
            "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-12-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-26T20:06:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3841-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3841-1/"
        },
        {
          "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
        },
        {
          "name": "USN-3841-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3841-2/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
        },
        {
          "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-19787",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3841-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3841-1/"
            },
            {
              "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
            },
            {
              "name": "USN-3841-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3841-2/"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
            },
            {
              "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-19787",
    "datePublished": "2018-12-02T10:00:00",
    "dateReserved": "2018-12-02T00:00:00",
    "dateUpdated": "2024-08-05T11:44:20.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-28957 (GCVE-0-2021-28957)

Vulnerability from cvelistv5

Published

2021-03-21 04:39

Modified

2024-08-03 21:55

Severity ?

CWE

Summary

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

References

►

URL

Tags

	https://bugs.launchpad.net/lxml/+bug/1888153	x_refsource_MISC
	https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4880	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210521-0004/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202208-06	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:12.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
          },
          {
            "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
          },
          {
            "name": "DSA-4880",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4880"
          },
          {
            "name": "FEDORA-2021-28723f9670",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
          },
          {
            "name": "FEDORA-2021-4cdb0f68c7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
          },
          {
            "name": "GLSA-202208-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-06"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T05:06:44",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
        },
        {
          "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
        },
        {
          "name": "DSA-4880",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4880"
        },
        {
          "name": "FEDORA-2021-28723f9670",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
        },
        {
          "name": "FEDORA-2021-4cdb0f68c7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
        },
        {
          "name": "GLSA-202208-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-06"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28957",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.launchpad.net/lxml/+bug/1888153",
              "refsource": "MISC",
              "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
            },
            {
              "name": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
            },
            {
              "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
            },
            {
              "name": "DSA-4880",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4880"
            },
            {
              "name": "FEDORA-2021-28723f9670",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
            },
            {
              "name": "FEDORA-2021-4cdb0f68c7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210521-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
            },
            {
              "name": "GLSA-202208-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-06"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28957",
    "datePublished": "2021-03-21T04:39:35",
    "dateReserved": "2021-03-21T00:00:00",
    "dateUpdated": "2024-08-03T21:55:12.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-43818 (GCVE-0-2021-43818)

Vulnerability from cvelistv5

Published

2021-12-13 18:05

Modified

2024-08-04 04:03

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

References

►

URL

Tags

	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8	x_refsource_CONFIRM
	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a	x_refsource_MISC
	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776	x_refsource_MISC
	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/	vendor-advisory, x_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2022/dsa-5043	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20220107-0005/	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-06	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	lxml	lxml	Version: < 4.6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:08.992Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
          },
          {
            "name": "FEDORA-2021-6e8fb79f90",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
          },
          {
            "name": "FEDORA-2021-9f9e7c5c4f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
          },
          {
            "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
          },
          {
            "name": "DSA-5043",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5043"
          },
          {
            "name": "FEDORA-2022-96c79bf003",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
          },
          {
            "name": "FEDORA-2022-7129fbaeed",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "GLSA-202208-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-06"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lxml",
          "vendor": "lxml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T05:06:57",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
        },
        {
          "name": "FEDORA-2021-6e8fb79f90",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
        },
        {
          "name": "FEDORA-2021-9f9e7c5c4f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
        },
        {
          "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
        },
        {
          "name": "DSA-5043",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5043"
        },
        {
          "name": "FEDORA-2022-96c79bf003",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
        },
        {
          "name": "FEDORA-2022-7129fbaeed",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "GLSA-202208-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-06"
        }
      ],
      "source": {
        "advisory": "GHSA-55x5-fj6c-h6m8",
        "discovery": "UNKNOWN"
      },
      "title": "HTML Cleaner allows crafted and SVG embedded scripts to pass through",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43818",
          "STATE": "PUBLIC",
          "TITLE": "HTML Cleaner allows crafted and SVG embedded scripts to pass through"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "lxml",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "lxml"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8",
              "refsource": "CONFIRM",
              "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
            },
            {
              "name": "FEDORA-2021-6e8fb79f90",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
            },
            {
              "name": "FEDORA-2021-9f9e7c5c4f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
            },
            {
              "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
            },
            {
              "name": "DSA-5043",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5043"
            },
            {
              "name": "FEDORA-2022-96c79bf003",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
            },
            {
              "name": "FEDORA-2022-7129fbaeed",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220107-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202208-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-06"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-55x5-fj6c-h6m8",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43818",
    "datePublished": "2021-12-13T18:05:12",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-04T04:03:08.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-27783 (GCVE-0-2020-27783)

Vulnerability from cvelistv5

Published

2020-12-03 16:39

Modified

2024-08-04 16:25

Severity ?

CWE

CWE-79

Summary

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

References

►

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=1901633	x_refsource_MISC
	https://www.debian.org/security/2020/dsa-4810	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://advisory.checkmarx.net/advisory/CX-2020-4286	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210521-0003/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	python-lxml	Version: lxml-4.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:42.427Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
          },
          {
            "name": "DSA-4810",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4810"
          },
          {
            "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
          },
          {
            "name": "FEDORA-2020-0e055ea503",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
          },
          {
            "name": "FEDORA-2020-307946cfb6",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python-lxml",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "lxml-4.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:54:48",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
        },
        {
          "name": "DSA-4810",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4810"
        },
        {
          "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
        },
        {
          "name": "FEDORA-2020-0e055ea503",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
        },
        {
          "name": "FEDORA-2020-307946cfb6",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-27783",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "python-lxml",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "lxml-4.6.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
            },
            {
              "name": "DSA-4810",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4810"
            },
            {
              "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
            },
            {
              "name": "FEDORA-2020-0e055ea503",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
            },
            {
              "name": "FEDORA-2020-307946cfb6",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://advisory.checkmarx.net/advisory/CX-2020-4286",
              "refsource": "MISC",
              "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210521-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-27783",
    "datePublished": "2020-12-03T16:39:41",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-08-04T16:25:42.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2022:0895-1

Vulnerability from csaf_suse

CVE-2018-19787 (GCVE-0-2018-19787)

Vulnerability from cvelistv5

CVE-2021-28957 (GCVE-0-2021-28957)

Vulnerability from cvelistv5

CVE-2021-43818 (GCVE-0-2021-43818)

Vulnerability from cvelistv5

CVE-2020-27783 (GCVE-0-2020-27783)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature