Bug 1901633 (CVE-2020-27783)
Summary: | CVE-2020-27783 python-lxml: mXSS due to the use of improper parser | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, carnil, dbecker, hhorak, igor.raits, jjoyce, jmoran, jorton, jpopelka, jschluet, lhh, lpeer, mburns, me, mizdebsk, python-maint, redhat-bugzilla, sclewis, slinaber, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | lxml 4.6.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:36:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1901634, 1902291, 1902292, 1902293, 1902294, 1903381, 1910654, 1969512 | ||
Bug Blocks: | 1896874 |
Description
Guilherme de Almeida Suckevicz
2020-11-25 17:06:43 UTC
Created python-lxml tracking bugs for this issue: Affects: fedora-all [bug 1901634] Upstream info for 4.6.2 fix: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 https://pypi.org/project/lxml/4.6.2/ Hi As the assigning CNA for CVE-2020-27783 can you clarify on the scope of it? Originally and by https://bugzilla.redhat.com/show_bug.cgi?id=1901633#c0 this only seems to apply to https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e which was fixed in 4.6.1 upstream. Later on upstream has referenced the CVE in the 4.6.2 notes but fixed there as well a second vector <math/svg> and <style> via in https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 in 4.6.2. Can you ideally assign a second CVE for the second fix, some might have covered with CVE-2020-27783 only the <noscript> and <style> part. Thanks already, Regards, Salvatore @Salvatore, as we talked by email, according to upstream the fix was split in 2 releases and were discovered together. Also, the CVE doesn't specifically say its only for certain XSS vectors, therefore, we think a new CVE is not needed in this case. Thank you for bringing this to us! FEDORA-2020-0e055ea503 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-307946cfb6 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27783 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1898 https://access.redhat.com/errata/RHSA-2021:1898 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254 |