Cross-site scripting in Bleach

2021-02-02T17:58:40

Description

### Impact A [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of: * `svg` or `math` in the allowed tags * `p` or `br` in allowed tags * `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags * the keyword argument `strip_comments=False` Note: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`. ### Patches Users are encouraged to upgrade to bleach v3.3.0 or greater. Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default. ### Workarounds * modify `bleach.clean` calls to at least one of: * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag * not allow `svg` or `math` tags * not allow `p` or `br` tags * set `strip_comments=True` * A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk. ### References * https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 * https://advisory.checkmarx.net/advisory/CX-2021-4303 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980 * https://cure53.de/fp170.pdf ### Credits * Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx * Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Michał Bentkowski](https://twitter.com/SecurityMB) at Securitum ### For more information If you have any questions or comments about this advisory: * Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues) * Email us at [security@mozilla.org](mailto:security@mozilla.org)

Affected Software

CPE Name	Name	Version
	bleach	3.3.0

{"id": "GHSA-VV2X-VRPJ-QQPQ", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "Cross-site scripting in Bleach", "description": "### Impact \n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* `svg` or `math` in the allowed tags\n* `p` or `br` in allowed tags\n* `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags\n* the keyword argument `strip_comments=False`\n\nNote: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`.\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.3.0 or greater.\n\nNote: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.\n\n### Workarounds\n\n* modify `bleach.clean` calls to at least one of:\n * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag\n * not allow `svg` or `math` tags\n * not allow `p` or `br` tags\n * set `strip_comments=True`\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1689399\n* https://advisory.checkmarx.net/advisory/CX-2021-4303\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980\n* https://cure53.de/fp170.pdf\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n* Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Micha\u0142 Bentkowski](https://twitter.com/SecurityMB) at Securitum\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)", "published": "2021-02-02T17:58:40", "modified": "2023-01-09T05:04:40", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://github.com/advisories/GHSA-vv2x-vrpj-qqpq", "reporter": "GitHub Advisory Database", "references": ["https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq", "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13", "https://bugzilla.mozilla.org/show_bug.cgi?id=1689399", "https://cure53.de/fp170.pdf", "https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4", "https://pypi.org/project/bleach/", "https://github.com/advisories/GHSA-vv2x-vrpj-qqpq"], "cvelist": ["CVE-2021-23980"], "immutableFields": [], "lastseen": "2023-01-09T05:06:58", "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-23980"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2620-1:42E96", "DEBIAN:DLA-2620-1:586A5", "DEBIAN:DSA-4892-1:686CD", "DEBIAN:DSA-4892-1:764C9"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-23980"]}, {"type": "mageia", "idList": ["MGASA-2021-0260"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2620.NASL", "DEBIAN_DSA-4892.NASL", "OPENSUSE-2021-552.NASL"]}, {"type": "osv", "idList": ["OSV:DLA-2620-1", "OSV:DSA-4892-1", "OSV:GHSA-VV2X-VRPJ-QQPQ", "OSV:PYSEC-2021-865"]}, {"type": "redhat", "idList": ["RHSA-2021:0781"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-23980"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0552-1", "OPENSUSE-SU-2021:0571-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-23980"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-23980"]}, {"type": "cve", "idList": ["CVE-2021-23980"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2620-1:586A5", "DEBIAN:DSA-4892-1:764C9"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-23980"]}, {"type": "kitploit", "idList": ["KITPLOIT:116690769744039319"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2620.NASL", "DEBIAN_DSA-4892.NASL", "OPENSUSE-2021-552.NASL"]}, {"type": "redhat", "idList": ["RHSA-2021:0781"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-23980"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0552-1", "OPENSUSE-SU-2021:0571-1"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-23980"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "bleach", "version": 3}]}, "vulnersScore": -0.1}, "_state": {"dependencies": 1673241162, "score": 1673240859, "affected_software_major_version": 1673242453}, "_internal": {"score_hash": "d234a6254a70f21cdc6ddba6a8df213b"}, "affectedSoftware": [{"version": "3.3.0", "operator": "lt", "ecosystem": "PIP", "name": "bleach"}]}

{"debian": [{"lastseen": "2021-10-22T10:23:56", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2620-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Chris Lamb\nApril 06, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : python-bleach\nVersion : 2.0-1+deb9u1\nCVE ID : CVE-2021-23980\nDebian Bug : #986251\n\nIt was discovered that there was a cross-site scripting (XSS)\nvulnerability in python-bleach, a whitelist-based HTML sanitisation\nlibrary.\n\nFor Debian 9 "Stretch", this problem has been fixed in version\n2.0-1+deb9u1.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {}, "published": "2021-04-06T12:22:09", "type": "debian", "title": "[SECURITY] [DLA 2620-1] python-bleach security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-06T12:22:09", "id": "DEBIAN:DLA-2620-1:42E96", "href": "https://lists.debian.org/debian-lts-announce/2021/04/msg00006.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-22T14:52:18", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4892-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 18, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-bleach\nCVE ID : CVE-2021-23980\nDebian Bug : 986251\n\nIt was reported that python-bleach, a whitelist-based HTML-sanitizing\nlibrary, is prone to a mutation XSS vulnerability in bleach.clean when\n'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed\ntags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes',\n'iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is\nset.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.1.2-0+deb10u2.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2021-04-18T14:41:59", "type": "debian", "title": "[SECURITY] [DSA 4892-1] python-bleach security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-18T14:41:59", "id": "DEBIAN:DSA-4892-1:764C9", "href": "https://lists.debian.org/debian-security-announce/2021/msg00073.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-06T02:36:01", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2620-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Chris Lamb\nApril 06, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : python-bleach\nVersion : 2.0-1+deb9u1\nCVE ID : CVE-2021-23980\nDebian Bug : #986251\n\nIt was discovered that there was a cross-site scripting (XSS)\nvulnerability in python-bleach, a whitelist-based HTML sanitisation\nlibrary.\n\nFor Debian 9 "Stretch", this problem has been fixed in version\n2.0-1+deb9u1.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {}, "published": "2021-04-06T12:22:09", "type": "debian", "title": "[SECURITY] [DLA 2620-1] python-bleach security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-06T12:22:09", "id": "DEBIAN:DLA-2620-1:586A5", "href": "https://lists.debian.org/debian-lts-announce/2021/04/msg00006.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-21T17:54:45", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4892-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 18, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-bleach\nCVE ID : CVE-2021-23980\nDebian Bug : 986251\n\nIt was reported that python-bleach, a whitelist-based HTML-sanitizing\nlibrary, is prone to a mutation XSS vulnerability in bleach.clean when\n'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed\ntags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes',\n'iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is\nset.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.1.2-0+deb10u2.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2021-04-18T14:41:59", "type": "debian", "title": "[SECURITY] [DSA 4892-1] python-bleach security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-18T14:41:59", "id": "DEBIAN:DSA-4892-1:686CD", "href": "https://lists.debian.org/debian-security-announce/2021/msg00073.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2022-08-10T07:07:16", "description": "\nIt was reported that python-bleach, a whitelist-based HTML-sanitizing\nlibrary, is prone to a mutation XSS vulnerability in bleach.clean when\nsvg or math are in the allowed tags, 'p' or br are in allowed\ntags, style, title, noscript, script, textarea, noframes,\niframe, or xmp are in allowed tags and 'strip\\_comments=False' is\nset.\n\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.1.2-0+deb10u2.\n\n\nWe recommend that you upgrade your python-bleach packages.\n\n\nFor the detailed security status of python-bleach please refer to its\nsecurity tracker page at:\n<https://security-tracker.debian.org/tracker/python-bleach>\n\n\n", "edition": 1, "cvss3": {}, "published": "2021-04-18T00:00:00", "type": "osv", "title": "python-bleach - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2022-08-10T07:07:06", "id": "OSV:DSA-4892-1", "href": "https://osv.dev/vulnerability/DSA-4892-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-11T21:11:08", "description": "In Mozilla Bleach before 3.3.0, a mutation XSS affects users calling bleach.clean with math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False.", "edition": 1, "cvss3": {}, "published": "2021-02-02T17:58:00", "type": "osv", "title": "PYSEC-2021-865", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2022-01-05T02:16:13", "id": "OSV:PYSEC-2021-865", "href": "https://osv.dev/vulnerability/PYSEC-2021-865", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-05T05:19:08", "description": "\nIt was discovered that there was a cross-site scripting (XSS) vulnerability\nin python-bleach, a whitelist-based HTML sanitisation library.\n\n\n* [CVE-2021-23980](https://security-tracker.debian.org/tracker/CVE-2021-23980)\nmutation XSS via allowed math or svg; p or br; and style, title,\n noscript, script, textarea, noframes, iframe, or xmp tags with\n strip\\_comments=False\n\n\nFor Debian 9 Stretch, these problems have been fixed in version\n2.0-1+deb9u1.\n\n\nWe recommend that you upgrade your python-bleach packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {}, "published": "2021-04-06T00:00:00", "type": "osv", "title": "python-bleach - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2022-08-05T05:19:05", "id": "OSV:DLA-2620-1", "href": "https://osv.dev/vulnerability/DLA-2620-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-06T01:06:49", "description": "### Impact \n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* `svg` or `math` in the allowed tags\n* `p` or `br` in allowed tags\n* `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags\n* the keyword argument `strip_comments=False`\n\nNote: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`.\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.3.0 or greater.\n\nNote: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.\n\n### Workarounds\n\n* modify `bleach.clean` calls to at least one of:\n * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag\n * not allow `svg` or `math` tags\n * not allow `p` or `br` tags\n * set `strip_comments=True`\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1689399\n* https://advisory.checkmarx.net/advisory/CX-2021-4303\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980\n* https://cure53.de/fp170.pdf\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n* Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Micha\u0142 Bentkowski](https://twitter.com/SecurityMB) at Securitum\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)", "cvss3": {}, "published": "2021-02-02T17:58:40", "type": "osv", "title": "Cross-site scripting in Bleach", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2023-02-06T01:06:48", "id": "OSV:GHSA-VV2X-VRPJ-QQPQ", "href": "https://osv.dev/vulnerability/GHSA-vv2x-vrpj-qqpq", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:34:59", "description": "[mutation XSS via allowed math or svg; p or br; and style, title, noscript,\nscript, textarea, noframes, iframe, or xmp tags with strip_comments=False]\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986251>\n", "cvss3": {}, "published": "2021-04-02T00:00:00", "type": "ubuntucve", "title": "CVE-2021-23980", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-02T00:00:00", "id": "UB:CVE-2021-23980", "href": "https://ubuntu.com/security/CVE-2021-23980", "cvss": {"score": 0.0, "vector": "NONE"}}], "alpinelinux": [{"lastseen": "2022-03-15T19:29:11", "description": "None", "cvss3": {}, "published": "2022-02-25T08:28:35", "type": "alpinelinux", "title": "CVE-2021-23980", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2022-02-25T08:28:35", "id": "ALPINE:CVE-2021-23980", "href": "https://security.alpinelinux.org/vuln/CVE-2021-23980", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2022-09-30T17:21:57", "description": "It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed tags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes','iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is set.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "Debian DSA-4892-1 : python-bleach - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-19T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-bleach", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4892.NASL", "href": "https://www.tenable.com/plugins/nessus/148756", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4892. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148756);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/19\");\n\n script_cve_id(\"CVE-2021-23980\");\n script_xref(name:\"DSA\", value:\"4892\");\n\n script_name(english:\"Debian DSA-4892-1 : python-bleach - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was reported that python-bleach, a whitelist-based HTML-sanitizing\nlibrary, is prone to a mutation XSS vulnerability in bleach.clean\nwhen'svg' or 'math' are in the allowed tags, 'p' or 'br' are in\nallowed tags, 'style', 'title', 'noscript', 'script', 'textarea',\n'noframes','iframe', or 'xmp' are in allowed tags and\n'strip_comments=False' is set.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986251\"\n );\n # https://security-tracker.debian.org/tracker/source-package/python-bleach\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2438169a\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/python-bleach\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4892\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the python-bleach packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.1.2-0+deb10u2.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-bleach\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"python-bleach\", reference:\"3.1.2-0+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"python-bleach-doc\", reference:\"3.1.2-0+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"python3-bleach\", reference:\"3.1.2-0+deb10u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-30T17:22:24", "description": "It was discovered that there was a cross-site scripting (XSS) vulnerability in python-bleach, a whitelist-based HTML sanitisation library.\n\nFor Debian 9 'Stretch', this problem has been fixed in version 2.0-1+deb9u1.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-07T00:00:00", "type": "nessus", "title": "Debian DLA-2620-1 : python-bleach security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-04-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-bleach", "p-cpe:/a:debian:debian_linux:python-bleach-doc", "p-cpe:/a:debian:debian_linux:python3-bleach", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2620.NASL", "href": "https://www.tenable.com/plugins/nessus/148363", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2620-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148363);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/07\");\n\n script_cve_id(\"CVE-2021-23980\");\n\n script_name(english:\"Debian DLA-2620-1 : python-bleach security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that there was a cross-site scripting (XSS)\nvulnerability in python-bleach, a whitelist-based HTML sanitisation\nlibrary.\n\nFor Debian 9 'Stretch', this problem has been fixed in version\n2.0-1+deb9u1.\n\nWe recommend that you upgrade your python-bleach packages.\n\nFor the detailed security status of python-bleach please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python-bleach\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/04/msg00006.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/python-bleach\"\n );\n # https://security-tracker.debian.org/tracker/source-package/python-bleach\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2438169a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-bleach\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-bleach-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3-bleach\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"python-bleach\", reference:\"2.0-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python-bleach-doc\", reference:\"2.0-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3-bleach\", reference:\"2.0-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-11T14:47:29", "description": "This update for python-bleach fixes the following issues :\n\n - CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific combinations of allowed tags (boo#1184547)\n\nUpdate to 3.1.5 :\n\n - replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson.\n\nUpdate to 3.1.4 (boo#1168280, CVE-2020-6817) :\n\n - ``bleach.clean`` behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes=('a':\n ['style']))``.\n\n - Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.\n\nupdate to 3.1.3 (boo#1167379, CVE-2020-6816) :\n\n - Add relative link to code of conduct. (#442)\n\n - Drop deprecated 'setup.py test' support. (#507)\n\n - Fix typo: curren -> current in tests/test_clean.py (#504)\n\n - Test on PyPy 7\n\n - Drop test support for end of life Python 3.4\n\n - ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "openSUSE Security Update : python-bleach (openSUSE-2021-552)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6816", "CVE-2020-6817", "CVE-2021-23980"], "modified": "2021-04-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python2-bleach", "p-cpe:/a:novell:opensuse:python3-bleach", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-552.NASL", "href": "https://www.tenable.com/plugins/nessus/148606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-552.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148606);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/19\");\n\n script_cve_id(\"CVE-2020-6816\", \"CVE-2020-6817\", \"CVE-2021-23980\");\n\n script_name(english:\"openSUSE Security Update : python-bleach (openSUSE-2021-552)\");\n script_summary(english:\"Check for the openSUSE-2021-552 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python-bleach fixes the following issues :\n\n - CVE-2021-23980: Fixed mutation XSS on bleach.clean with\n specific combinations of allowed tags (boo#1184547)\n\nUpdate to 3.1.5 :\n\n - replace missing ``setuptools`` dependency with\n ``packaging``. Thank you Benjamin Peterson.\n\nUpdate to 3.1.4 (boo#1168280, CVE-2020-6817) :\n\n - ``bleach.clean`` behavior parsing style attributes could\n result in a regular expression denial of service\n (ReDoS). Calls to ``bleach.clean`` with an allowed tag\n with an allowed ``style`` attribute were vulnerable to\n ReDoS. For example, ``bleach.clean(..., attributes=('a':\n ['style']))``.\n\n - Style attributes with dashes, or single or double quoted\n values are cleaned instead of passed through.\n\nupdate to 3.1.3 (boo#1167379, CVE-2020-6816) :\n\n - Add relative link to code of conduct. (#442)\n\n - Drop deprecated 'setup.py test' support. (#507)\n\n - Fix typo: curren -> current in tests/test_clean.py\n (#504)\n\n - Test on PyPy 7\n\n - Drop test support for end of life Python 3.4\n\n - ``bleach.clean`` behavior parsing embedded MathML and\n SVG content with RCDATA tags did not match browser\n behavior and could result in a mutation XSS. Calls to\n ``bleach.clean`` with ``strip=False`` and ``math`` or\n ``svg`` tags and one or more of the RCDATA tags\n ``script``, ``noscript``, ``style``, ``noframes``,\n ``iframe``, ``noembed``, or ``xmp`` in the allowed tags\n whitelist were vulnerable to a mutation XSS.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1167379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168280\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184547\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected python-bleach packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-bleach\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-bleach\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"python2-bleach-3.1.5-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"python3-bleach-3.1.5-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-bleach / python3-bleach\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-01-15T06:08:25", "description": "mutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False", "cvss3": {}, "published": "2022-02-25T08:28:35", "type": "debiancve", "title": "CVE-2021-23980", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2022-02-25T08:28:35", "id": "DEBIANCVE:CVE-2021-23980", "href": "https://security-tracker.debian.org/tracker/CVE-2021-23980", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2023-02-01T08:11:46", "description": "No description is available for this CVE.\n", "cvss3": {}, "published": "2021-03-30T16:04:58", "type": "redhatcve", "title": "CVE-2021-23980", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2023-02-01T06:55:20", "id": "RH:CVE-2021-23980", "href": "https://access.redhat.com/security/cve/cve-2021-23980", "cvss": {"score": 0.0, "vector": "NONE"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when \"svg\" or \"math\" are in the allowed tags, 'p' or \"br\" are in allowed tags, \"style\", \"title\", \"noscript\", \"script\", \"textarea\", \"noframes\", \"iframe\", or \"xmp\" are in allowed tags and 'strip_comments=False' is set (CVE-2021-23980). \n", "cvss3": {}, "published": "2021-06-16T20:22:25", "type": "mageia", "title": "Updated python-bleach packages fix a security vulnerability\n", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-23980"], "modified": "2021-06-16T20:22:25", "id": "MGASA-2021-0260", "href": "https://advisories.mageia.org/MGASA-2021-0260.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2022-11-06T12:09:19", "description": "An update that fixes three vulnerabilities is now available.\n\nDescription:\n\n This update for python-bleach fixes the following issues:\n\n - CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific\n combinations of allowed tags (boo#1184547)\n\n Update to 3.1.5:\n\n * replace missing ``setuptools`` dependency with ``packaging``. Thank you\n Benjamin Peterson.\n\n Update to 3.1.4 (boo#1168280, CVE-2020-6817):\n\n * ``bleach.clean`` behavior parsing style attributes could result in a\n regular expression denial of service (ReDoS). Calls to ``bleach.clean``\n with an allowed tag with an allowed ``style`` attribute were vulnerable\n to ReDoS. For example, ``bleach.clean(..., attributes={'a':\n ['style']})``.\n * Style attributes with dashes, or single or double quoted values are\n cleaned instead of passed through.\n\n update to 3.1.3 (boo#1167379, CVE-2020-6816):\n\n * Add relative link to code of conduct. (#442)\n * Drop deprecated 'setup.py test' support. (#507)\n * Fix typo: curren -> current in tests/test_clean.py (#504)\n * Test on PyPy 7\n * Drop test support for end of life Python 3.4\n * ``bleach.clean`` behavior parsing embedded MathML and SVG content with\n RCDATA tags did not match browser behavior and could result in a\n mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and\n ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``,\n ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or\n ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-552=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-14T00:00:00", "type": "suse", "title": "Security update for python-bleach (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6816", "CVE-2020-6817", "CVE-2021-23980"], "modified": "2021-04-14T00:00:00", "id": "OPENSUSE-SU-2021:0552-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-11-10T02:12:07", "description": "An update that fixes three vulnerabilities is now available.\n\nDescription:\n\n This update for python-bleach fixes the following issues:\n\n - CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific\n combinations of allowed tags (boo#1184547)\n\n Update to 3.1.5:\n\n * replace missing ``setuptools`` dependency with ``packaging``. Thank you\n Benjamin Peterson.\n\n Update to 3.1.4 (boo#1168280, CVE-2020-6817):\n\n * ``bleach.clean`` behavior parsing style attributes could result in a\n regular expression denial of service (ReDoS). Calls to ``bleach.clean``\n with an allowed tag with an allowed ``style`` attribute were vulnerable\n to ReDoS. For example, ``bleach.clean(..., attributes={'a':\n ['style']})``.\n * Style attributes with dashes, or single or double quoted values are\n cleaned instead of passed through.\n\n update to 3.1.3 (boo#1167379, CVE-2020-6816):\n\n * Add relative link to code of conduct. (#442)\n * Drop deprecated 'setup.py test' support. (#507)\n * Fix typo: curren -> current in tests/test_clean.py (#504)\n * Test on PyPy 7\n * Drop test support for end of life Python 3.4\n * ``bleach.clean`` behavior parsing embedded MathML and SVG content with\n RCDATA tags did not match browser behavior and could result in a\n mutation XSS. Calls to ``bleach.clean`` with ``strip=False`` and\n ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``,\n ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or\n ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-571=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-18T00:00:00", "type": "suse", "title": "Security update for python-bleach (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6816", "CVE-2020-6817", "CVE-2021-23980"], "modified": "2021-04-18T00:00:00", "id": "OPENSUSE-SU-2021:0571-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UAZHEWM4ZYBZY5GDDDOMIZYEGFNANLKS/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2021-10-19T20:36:43", "description": "Red Hat Ansible Automation Platform integrates Red Hat's automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine, Automation Hub and use-case specific capabilities for Microsoft Windows, network, security, and more, along with Software-as-a-Service (SaaS)-based capabilities and features for organization-wide effectiveness.\n\nThis update fixes various bugs and adds enhancements. Documentation for\nthese changes is available from the Release Notes document linked to in the\nReferences section.\n\nSecurity Fix(es):\n\n* node-notifier: nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array (CVE-2020-7789)\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n* django: Potential directory-traversal via archive.extract() (CVE-2021-3281)\n* python-pygments: infinite loop in SML lexer may lead to DoS (CVE-2021-20270)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-09T15:08:01", "type": "redhat", "title": "(RHSA-2021:0781) Moderate: Red Hat Ansible Automation Platform 1.2.2 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15366", "CVE-2020-7789", "CVE-2021-20270", "CVE-2021-23980", "CVE-2021-27291", "CVE-2021-3281"], "modified": "2021-03-30T17:18:41", "id": "RHSA-2021:0781", "href": "https://access.redhat.com/errata/RHSA-2021:0781", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

Cross-site scripting in Bleach

Description

Affected Software

Related