Lucene search

[email protected]CVE-2021-43818

HistoryDec 13, 2021 - 6:15 p.m.

CVE-2021-43818

2021-12-1318:15:00

CWE-74

CWE-79

[email protected]

web.nvd.nist.gov

315

lxml

xml

html

python

security

cve-2021-43818

vulnerability

patch

upgrade

nvd

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.9 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.5%

JSON

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

VendorProductVersionCPE
lxmllxml*cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lxml	lxml	*	cpe:2.3:a:lxml:lxml::::::::

References

github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a

github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776

github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0

github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8

lists.debian.org/debian-lts-announce/2021/12/msg00037.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/

security.gentoo.org/glsa/202208-06

security.netapp.com/advisory/ntap-20220107-0005/

www.debian.org/security/2022/dsa-5043

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujul2022.html

Social References

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.9 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.5%

JSON

Related for CVE-2021-43818

nessus53 ubuntucve1 almalinux4 ibm4 amazon2 cbl_mariner2 osv14 prion1 alpinelinux1 redhat7 fedora4 rocky5 veracode1 debian2 redhatcve1 oraclelinux5 github1 ubuntu1 mageia1 redos1 debiancve1 gentoo1 suse1 photon4 oracle2