Bug 1925252 (CVE-2021-23980)

Summary: CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: davidn, gblomqui, jhardy, kaycoth, mabashia, mrunge, osapryki, rhel8-maint, smcdonal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-bleach 3.3.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1925253, 1925254, 1925257, 1932063, 1944800    
Bug Blocks: 1925255    

Description Michael Kaplan 2021-02-04 17:15:09 UTC 
A mutation XSS affects users calling bleach.clean with all of:

- svg or math in the allowed tags
- p or br in allowed tags
- style in allowed tags
- the keyword argument strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
Comment 1 Michael Kaplan 2021-02-04 17:15:13 UTC 
External References:

https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
Comment 2 Michael Kaplan 2021-02-04 17:15:33 UTC 
Created python-bleach tracking bugs for this issue:

Affects: epel-all [bug 1925254]
Affects: fedora-all [bug 1925253]
Comment 5 Tapas Jena 2021-03-30 17:11:42 UTC 
Reducing the impact of the vulnerability on Ansible Automation Platform from Medium to Low as the affected functionality of the Python bleach is not enabled by default.