1925252 – (CVE-2021-23980) CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean

Bug 1925252 (CVE-2021-23980) - CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean

Summary: CVE-2021-23980 python-bleach: Mutation cross-site scripting in bleach.clean

Keywords:
Status:	NEW
Alias:	CVE-2021-23980
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1925254 1925253 Red Hat1925257 Red Hat1932063 Red Hat1944800
Blocks:	Embargoed1925255
TreeView+	depends on / blocked

Reported:	2021-02-04 17:15 UTC by Michael Kaplan
Modified:	2022-08-30 12:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:	python-bleach 3.3.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-02-04 17:15:09 UTC

A mutation XSS affects users calling bleach.clean with all of:

- svg or math in the allowed tags
- p or br in allowed tags
- style in allowed tags
- the keyword argument strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

Comment 1 Michael Kaplan 2021-02-04 17:15:13 UTC

External References:

https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq

Comment 2 Michael Kaplan 2021-02-04 17:15:33 UTC

Created python-bleach tracking bugs for this issue:

Affects: epel-all [bug 1925254]
Affects: fedora-all [bug 1925253]

Comment 5 Tapas Jena 2021-03-30 17:11:42 UTC

Reducing the impact of the vulnerability on Ansible Automation Platform from Medium to Low as the affected functionality of the Python bleach is not enabled by default.

Note You need to log in before you can comment on or make changes to this bug.