Bug 2032569 (CVE-2021-43818)
Summary: | CVE-2021-43818 python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, bbuckingham, bcoca, bcourt, bkearney, btotty, caswilli, cmeyers, davidn, dbecker, ehelms, fjansen, gblomqui, hhorak, igor.raits, jcammara, jhardy, jjoyce, jobarker, jorton, jpopelka, jschluet, jsherril, kaycoth, lhh, lpeer, lzap, mabashia, manisandro, mburns, me, mhulan, mizdebsk, mmccune, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, python-maint, rchan, relrod, rpetrell, sclewis, scorneli, sdoran, slinaber, smcdonal, tkuratom |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-lxml 4.6.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src="">. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-11 22:46:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2034590, 2034591, 2032571, 2032572, 2033024, 2033115, 2033116, 2033117, 2033118, 2033119, 2033120, 2034288, 2034592, 2034593, 2064446 | ||
Bug Blocks: | 2032570 |
Description
Guilherme de Almeida Suckevicz
2021-12-14 18:02:39 UTC
Created mingw-python-lxml tracking bugs for this issue: Affects: fedora-all [bug 2032571] Created python-lxml tracking bugs for this issue: Affects: fedora-all [bug 2032572] RHUI 4 does not use lxml directly, it's pulp' dependency. Pulp uses lxml.etree but that is not vul here. Following location use lxml.html but clean_html not being used anywhere. RHUI is not vulnerable in code. https://github.com/pulp/pulp/blob/308d164420ac489e030a7a6488ff6712d7de44f6/playpen/metadata/updatemetadata_lxml.py#L7 Creating the missing affect for Ansible Automation Platform 2.0 Analysis is complete for Ansible and its components and it was found that though Ansible Tower (now Controller)/AWX uses the vulnerable version of lxml [1] , It doesn't use the vulnerable function i.e. clean_html anywhere [2]. However, to be safer side, its always better to upgrade the secure version of lxml (i.e. 4.6.x, current version is 4.5) in this case to avoid introduction of such vulnerable functionality in future until and unless there is no backward compatibility or hard dependency with current version. Hence, marking the Ansible components as Affected --> delegated and creating the required trackers. [1] https://github.com/ansible/tower/blob/a206d7985124960a4e408a0c647617dbb1776433/requirements/requirements.txt#L196 [2] https://github.com/ansible/ansible/blob/2cbfd1e350cbe1ca195d33306b5a9628667ddda8/lib/ansible/plugins/netconf/__init__.py#L43 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:1664 https://access.redhat.com/errata/RHSA-2022:1664 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1763 https://access.redhat.com/errata/RHSA-2022:1763 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1932 https://access.redhat.com/errata/RHSA-2022:1932 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-43818 This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498 |