Bug 1941534 (CVE-2021-28957)

Summary: CVE-2021-28957 python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bcoca, chousekn, cmeyers, davidn, gblomqui, hhorak, igor.raits, jcammara, jhardy, jjoyce, jobarker, jorton, jpopelka, jschluet, lhh, lpeer, mabashia, mburns, me, mizdebsk, notting, osapryki, python-maint, redhat-bugzilla, relrod, rschiron, sclewis, sdoran, slinaber, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-lxml 4.6.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack (XSS) when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-24 15:35:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1941535, 1941690, 1941709, 1941710, 1941711, 1941712, 1941713, 1941910, 1941955, 1946880, 1946881, 1946882, 1969519    
Bug Blocks: 1941538    

Description Marian Rehak 2021-03-22 10:37:38 UTC 
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.

Reference:

https://bugs.launchpad.net/lxml/+bug/1888153
Comment 1 Marian Rehak 2021-03-22 10:38:06 UTC 
Created python-lxml tracking bugs for this issue:

Affects: fedora-all [bug 1941535]
Comment 2 Riccardo Schirone 2021-03-22 14:40:28 UTC 
Upstream patch:
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Comment 4 Riccardo Schirone 2021-03-22 15:39:29 UTC 
Created python3-lxml tracking bugs for this issue:

Affects: epel-all [bug 1941690]
Comment 6 Riccardo Schirone 2021-03-22 16:17:36 UTC 
python-lxml with the lxml.html.clean.Cleaner class allows to clean documents of each of the possible offending elements, like `javascript:`, script tags, etc. However, due to this flaw it did not clean possibly offending elements in the "formaction" attribute of buttons and similar HTML objects, because the attribute was not considered one to look for links.
Comment 11 Tapas Jena 2021-04-06 16:52:15 UTC 
Completed analysis for Ansible Tower and AAP 1.2 and found that, though lxml affected version is being used, its just that Not in a vulnerable way.
That is, there is no usage of HTML Cleaner lib/function along with formaction attribute. Hence, marking both Tower and AAP 1.2 as "Not Affected".
Comment 12 Tapas Jena 2021-04-07 06:38:26 UTC 
Lowering the impact for Tower and AAP 1.2 from Moderate to Low as the concerned function/attribute which causes this vulnerability is not in use.
Comment 14 Tapas Jena 2021-04-07 07:03:31 UTC 
Statement:

Web applications vulnerable to this flaw, where a XSS attack can be accomplished, are only those that use python-lxml to sanitize HTML input and that allow user data to be placed in the "formaction" attribute of a form button.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the package is unlikely to be exploited in the RHOSP environment, no update will be provided at this time for the RHOSP python-lxml package.

For Ansible Tower and Ansible Automation Platform,  Lowering the impact from Moderate to Low as the vulnerable function i.e. lxml HTML Cleaner and the vulnerable attribute i.e. HTML FormAction are not being used.
Comment 17 Fedora Update System 2021-06-04 01:02:54 UTC 
FEDORA-2021-4cdb0f68c7 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2021-08-24 08:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 21 Product Security DevOps Team 2021-08-24 15:35:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28957
Comment 22 errata-xmlrpc 2021-11-09 17:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
Comment 23 errata-xmlrpc 2021-11-09 17:27:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4158 https://access.redhat.com/errata/RHSA-2021:4158
Comment 24 errata-xmlrpc 2021-11-09 17:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 25 errata-xmlrpc 2021-11-09 17:28:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162