Lucene search

GoogleOSV:GHSA-55X5-FJ6C-H6M8

HistoryDec 13, 2021 - 6:14 p.m.

lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through

2021-12-1318:14:36

Google

osv.dev

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON

Impact

The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs.

Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5.

Patches

The issue has been resolved in lxml 4.6.5.

Workarounds

None.

References

The issues are tracked under the report IDs GHSL-2021-1037 and GHSL-2021-1038.

CPENameOperatorVersion
lxmleq4.3.5
lxmleq3.4.2
lxmleq2.2.4
lxmleq2.2.7
lxmleq4.1.1
lxmleq3.5.0
lxmleq4.5.1
lxmleq3.1.2
lxmleq4.2.5
lxmleq4.4.3

Name	Operator	Version
lxml	eq	4.3.5
lxml	eq	3.4.2
lxml	eq	2.2.4
lxml	eq	2.2.7
lxml	eq	4.1.1
lxml	eq	3.5.0
lxml	eq	4.5.1
lxml	eq	3.1.2
lxml	eq	4.2.5
lxml	eq	4.4.3

Rows per page:

1-10 of 971

References

github.com/lxml/lxml

github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a

github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776

github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0

github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8

lists.debian.org/debian-lts-announce/2021/12/msg00037.html

lists.fedoraproject.org/archives/list/[email protected]/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7

lists.fedoraproject.org/archives/list/[email protected]/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V

lists.fedoraproject.org/archives/list/[email protected]/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7

lists.fedoraproject.org/archives/list/[email protected]/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44

nvd.nist.gov/vuln/detail/CVE-2021-43818

security.gentoo.org/glsa/202208-06

security.netapp.com/advisory/ntap-20220107-0005

www.debian.org/security/2022/dsa-5043

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujul2022.html

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON

Related for OSV:GHSA-55X5-FJ6C-H6M8