Amazon Linux 2 : python-lxml (ALAS-2023-1956)

🗓️ 22 Feb 2023 00:00:00Reported by TenableType

Amazon Linux 2 python-lxml vulnerability (ALAS-2023-1956) affected version prior to 3.2.1-

Reporter	Title	Published	Views	Family All 352
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	16 Jun 202315:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in lxml (CVE-2021-43818)	12 Jan 202321:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	15 Apr 202502:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	12 Jan 202317:22	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	15 Apr 202502:27	–	ibm
GithubExploit	Exploit for Deserialization of Untrusted Data in Pyyaml	29 Aug 202510:27	–	githubexploit
ATTACKERKB	CVE-2014-3146	14 May 201419:55	–	attackerkb
Tenable Nessus	Amazon Linux 2022 : python3-lxml (ALAS2022-2022-074)	6 Sep 202200:00	–	nessus
Tenable Nessus	Amazon Linux 2022 : python3-lxml (ALAS2022-2022-178)	4 Nov 202200:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : python3-lxml (ALAS2023-2023-034)	21 Mar 202300:00	–	nessus

Source	Link
alas	www.alas.aws.amazon.com/AL2/ALAS-2023-1956.html
alas	www.alas.aws.amazon.com/faqs.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2014-3146.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2018-19787.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2021-43818.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2023-1956.
##

include('compat.inc');

if (description)
{
  script_id(171803);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/03/17");

  script_cve_id("CVE-2014-3146", "CVE-2018-19787", "CVE-2021-43818");

  script_name(english:"Amazon Linux 2 : python-lxml (ALAS-2023-1956)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of python-lxml installed on the remote host is prior to 3.2.1-4. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2023-1956 advisory.

    Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote
    attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the
    clean_html function. (CVE-2014-3146)

    An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not
    remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as
    demonstrated by j a v a s c r i p t: in Internet Explorer. This is a similar issue to CVE-2014-3146.
    (CVE-2018-19787)

    There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and
    Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML
    Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because
    the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result
    in impacts to the integrity and availability of the web page, as well as a potential impact to data
    confidentiality in some circumstances. (CVE-2021-43818)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2023-1956.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2014-3146.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2018-19787.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-43818.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update python-lxml' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-43818");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/02/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-lxml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-lxml-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-lxml-docs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'python-lxml-3.2.1-4.amzn2.0.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-3.2.1-4.amzn2.0.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-3.2.1-4.amzn2.0.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-debuginfo-3.2.1-4.amzn2.0.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-debuginfo-3.2.1-4.amzn2.0.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-debuginfo-3.2.1-4.amzn2.0.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python-lxml-docs-3.2.1-4.amzn2.0.4', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-lxml / python-lxml-debuginfo / python-lxml-docs");
}

17 Mar 2025 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 26.8

CVSS 36.1

CVSS 3.17.1 - 8.2

EPSS0.05428

SSVC