Bug 1901633 (CVE-2020-27783) - CVE-2020-27783 python-lxml: mXSS due to the use of improper parser
Summary: CVE-2020-27783 python-lxml: mXSS due to the use of improper parser
Keywords:
Status: NEW
Alias: CVE-2020-27783
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1901634 1902291 1902292 1902293 1902294 1903381 1910654
Blocks: 1896874
TreeView+ depends on / blocked
 
Reported: 2020-11-25 17:06 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-01-20 02:13 UTC (History)
19 users (show)

Fixed In Version: lxml 4.6.2
Doc Type: If docs needed, set a value
Doc Text:
A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-25 17:06:43 UTC
The python-lxml package from version 1.2 and before version 4.6.2 is vulnerable to mXSS due to the use of improper parser. The parser used doesn't imitate browsers, which causes different behaviours between the sanitizer and the user's page. This can result in an arbitrary HTML/JS code execution.

References:
https://pypi.org/project/lxml/4.6.1/
https://pypi.org/project/lxml/4.6.2/


Upstream patches:
https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Comment 1 Guilherme de Almeida Suckevicz 2020-11-25 17:07:00 UTC
Created python-lxml tracking bugs for this issue:

Affects: fedora-all [bug 1901634]

Comment 6 Salvatore Bonaccorso 2020-12-13 20:12:22 UTC
Hi

As the assigning CNA for CVE-2020-27783 can you clarify on the scope of it? Originally and by https://bugzilla.redhat.com/show_bug.cgi?id=1901633#c0 this only seems to apply to  https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e which was fixed in 4.6.1 upstream. Later on upstream has referenced the CVE in the 4.6.2 notes but fixed there as well a second vector <math/svg> and <style> via in https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 in 4.6.2.

Can you ideally assign a second CVE for the second fix, some might have covered with CVE-2020-27783 only the <noscript> and <style> part.

Thanks already,

Regards,
Salvatore

Comment 7 Guilherme de Almeida Suckevicz 2020-12-17 14:11:17 UTC
@Salvatore, as we talked by email, according to upstream the fix was split in 2 releases and were discovered together. Also, the CVE doesn't specifically say its only for certain XSS vectors, therefore, we think a new CVE is not needed in this case.

Thank you for bringing this to us!

Comment 10 Fedora Update System 2021-01-14 01:37:11 UTC
FEDORA-2020-0e055ea503 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2021-01-14 01:42:35 UTC
FEDORA-2020-307946cfb6 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.