Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4892.NASLHistoryApr 19, 2021 - 12:00 a.m.
Debian DSA-4892-1 : python-bleach - security update
2021-04-1900:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10
6.1 Medium
AI Score
Confidence
High
It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when’svg’ or ‘math’ are in the allowed tags, ‘p’ or ‘br’ are in allowed tags, ‘style’, ‘title’, ‘noscript’, ‘script’, ‘textarea’, ‘noframes’,‘iframe’, or ‘xmp’ are in allowed tags and ‘strip_comments=False’ is set.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-4892. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include("compat.inc");
if (description)
{
script_id(148756);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/12");
script_cve_id("CVE-2021-23980");
script_xref(name:"DSA", value:"4892");
script_name(english:"Debian DSA-4892-1 : python-bleach - security update");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean
when'svg' or 'math' are in the allowed tags, 'p' or 'br' are in
allowed tags, 'style', 'title', 'noscript', 'script', 'textarea',
'noframes','iframe', or 'xmp' are in allowed tags and
'strip_comments=False' is set."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986251"
);
# https://security-tracker.debian.org/tracker/source-package/python-bleach
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?2438169a"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/buster/python-bleach"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.debian.org/security/2021/dsa-4892"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade the python-bleach packages.
For the stable distribution (buster), this problem has been fixed in
version 3.1.2-0+deb10u2."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-23980");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-bleach");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/16");
script_set_attribute(attribute:"patch_publication_date", value:"2021/04/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/19");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"10.0", prefix:"python-bleach", reference:"3.1.2-0+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"python-bleach-doc", reference:"3.1.2-0+deb10u2")) flag++;
if (deb_check(release:"10.0", prefix:"python3-bleach", reference:"3.1.2-0+deb10u2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | python-bleach | p-cpe:/a:debian:debian_linux:python-bleach |
| debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
Related
osv
osv
python-bleach - security update
2021-04-18 00:00:00
PYSEC-2021-865
2021-02-02 17:58:00
CVE-2021-23980
2023-02-16 22:15:10
mageia
mageia
Updated python-bleach packages fix a security vulnerability
2021-06-16 23:22:25
redhatcve
redhatcve
CVE-2021-23980
2021-03-30 16:04:58
nessus
nessus
Debian DLA-2620-1 : python-bleach security update
2021-04-07 00:00:00
openSUSE Security Update : python-bleach (openSUSE-2021-552)
2021-04-15 00:00:00
prion
prion
Design/Logic Flaw
2023-02-16 22:15:00
debian
debian
[SECURITY] [DLA 2620-1] python-bleach security update
2021-04-06 12:22:09
[SECURITY] [DSA 4892-1] python-bleach security update
2021-04-18 14:41:59
[SECURITY] [DSA 4892-1] python-bleach security update
2021-04-18 14:41:59
ubuntucve
ubuntucve
CVE-2021-23980
2023-02-16 00:00:00
debiancve
debiancve
CVE-2021-23980
2023-02-16 22:15:10
alpinelinux
alpinelinux
CVE-2021-23980
2023-02-16 22:15:00
cve
cve
CVE-2021-23980
2023-02-16 22:15:00
github
github
Cross-site scripting in Bleach
2021-02-02 17:58:40
suse
suse
Security update for python-bleach (important)
2021-04-18 00:00:00
Security update for python-bleach (important)
2021-04-14 00:00:00
redhat
redhat