Hide Forgot
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute. Reference: https://bugs.launchpad.net/lxml/+bug/1888153
Created python-lxml tracking bugs for this issue: Affects: fedora-all [bug 1941535]
Upstream patch: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Created python3-lxml tracking bugs for this issue: Affects: epel-all [bug 1941690]
python-lxml with the lxml.html.clean.Cleaner class allows to clean documents of each of the possible offending elements, like `javascript:`, script tags, etc. However, due to this flaw it did not clean possibly offending elements in the "formaction" attribute of buttons and similar HTML objects, because the attribute was not considered one to look for links.
Completed analysis for Ansible Tower and AAP 1.2 and found that, though lxml affected version is being used, its just that Not in a vulnerable way. That is, there is no usage of HTML Cleaner lib/function along with formaction attribute. Hence, marking both Tower and AAP 1.2 as "Not Affected".
Lowering the impact for Tower and AAP 1.2 from Moderate to Low as the concerned function/attribute which causes this vulnerability is not in use.
Statement: Web applications vulnerable to this flaw, where a XSS attack can be accomplished, are only those that use python-lxml to sanitize HTML input and that allow user data to be placed in the "formaction" attribute of a form button. In Red Hat OpenStack Platform, because the flaw has a lower impact and the package is unlikely to be exploited in the RHOSP environment, no update will be provided at this time for the RHOSP python-lxml package. For Ansible Tower and Ansible Automation Platform, Lowering the impact from Moderate to Low as the vulnerable function i.e. lxml HTML Cleaner and the vulnerable attribute i.e. HTML FormAction are not being used.
FEDORA-2021-4cdb0f68c7 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28957
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4158 https://access.redhat.com/errata/RHSA-2021:4158
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162