lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. Reference: https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 Upstream patches: https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
Created mingw-python-lxml tracking bugs for this issue: Affects: fedora-all [bug 2032571] Created python-lxml tracking bugs for this issue: Affects: fedora-all [bug 2032572]
RHUI 4 does not use lxml directly, it's pulp' dependency. Pulp uses lxml.etree but that is not vul here. Following location use lxml.html but clean_html not being used anywhere. RHUI is not vulnerable in code. https://github.com/pulp/pulp/blob/308d164420ac489e030a7a6488ff6712d7de44f6/playpen/metadata/updatemetadata_lxml.py#L7
Creating the missing affect for Ansible Automation Platform 2.0
Analysis is complete for Ansible and its components and it was found that though Ansible Tower (now Controller)/AWX uses the vulnerable version of lxml [1] , It doesn't use the vulnerable function i.e. clean_html anywhere [2]. However, to be safer side, its always better to upgrade the secure version of lxml (i.e. 4.6.x, current version is 4.5) in this case to avoid introduction of such vulnerable functionality in future until and unless there is no backward compatibility or hard dependency with current version. Hence, marking the Ansible components as Affected --> delegated and creating the required trackers. [1] https://github.com/ansible/tower/blob/a206d7985124960a4e408a0c647617dbb1776433/requirements/requirements.txt#L196 [2] https://github.com/ansible/ansible/blob/2cbfd1e350cbe1ca195d33306b5a9628667ddda8/lib/ansible/plugins/netconf/__init__.py#L43
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:1664 https://access.redhat.com/errata/RHSA-2022:1664
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1763 https://access.redhat.com/errata/RHSA-2022:1763
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1932 https://access.redhat.com/errata/RHSA-2022:1932
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-43818
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498