Bug 1925252 (CVE-2021-23980) - CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean
Summary: CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean
Status: NEW
Alias: CVE-2021-23980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1925254 1925253 1925257 1932063 1944800
Blocks: 1925255
TreeView+ depends on / blocked
Reported: 2021-02-04 17:15 UTC by Michael Kaplan
Modified: 2023-07-07 08:30 UTC (History)
9 users (show)

Fixed In Version: python-bleach 3.3.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-02-04 17:15:09 UTC
A mutation XSS affects users calling bleach.clean with all of:

- svg or math in the allowed tags
- p or br in allowed tags
- style in allowed tags
- the keyword argument strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

Comment 1 Michael Kaplan 2021-02-04 17:15:13 UTC
External References:


Comment 2 Michael Kaplan 2021-02-04 17:15:33 UTC
Created python-bleach tracking bugs for this issue:

Affects: epel-all [bug 1925254]
Affects: fedora-all [bug 1925253]

Comment 5 Tapas Jena 2021-03-30 17:11:42 UTC
Reducing the impact of the vulnerability on Ansible Automation Platform from Medium to Low as the affected functionality of the Python bleach is not enabled by default.

Note You need to log in before you can comment on or make changes to this bug.