Bug 1941534 (CVE-2021-28957) - CVE-2021-28957 python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS
Summary: CVE-2021-28957 python-lxml: Missing input sanitization for formaction HTML5 a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28957
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1946882 1941535 1941690 1941709 1941710 1941711 1941712 1941713 1941910 1941955 1946880 1946881 1969519
Blocks: 1941538
TreeView+ depends on / blocked
 
Reported: 2021-03-22 10:37 UTC by Marian Rehak
Modified: 2022-04-17 21:14 UTC (History)
32 users (show)

Fixed In Version: python-lxml 4.6.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack (XSS) when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-24 15:35:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:12 UTC
Red Hat Product Errata RHSA-2021:4151 0 None None None 2021-11-09 17:25:19 UTC
Red Hat Product Errata RHSA-2021:4158 0 None None None 2021-11-09 17:27:08 UTC
Red Hat Product Errata RHSA-2021:4160 0 None None None 2021-11-09 17:27:14 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:19 UTC

Description Marian Rehak 2021-03-22 10:37:38 UTC 
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.

Reference:

https://bugs.launchpad.net/lxml/+bug/1888153
Comment 1 Marian Rehak 2021-03-22 10:38:06 UTC 
Created python-lxml tracking bugs for this issue:

Affects: fedora-all [bug 1941535]
Comment 2 Riccardo Schirone 2021-03-22 14:40:28 UTC 
Upstream patch:
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Comment 4 Riccardo Schirone 2021-03-22 15:39:29 UTC 
Created python3-lxml tracking bugs for this issue:

Affects: epel-all [bug 1941690]
Comment 6 Riccardo Schirone 2021-03-22 16:17:36 UTC 
python-lxml with the lxml.html.clean.Cleaner class allows to clean documents of each of the possible offending elements, like `javascript:`, script tags, etc. However, due to this flaw it did not clean possibly offending elements in the "formaction" attribute of buttons and similar HTML objects, because the attribute was not considered one to look for links.
Comment 11 Tapas Jena 2021-04-06 16:52:15 UTC 
Completed analysis for Ansible Tower and AAP 1.2 and found that, though lxml affected version is being used, its just that Not in a vulnerable way.
That is, there is no usage of HTML Cleaner lib/function along with formaction attribute. Hence, marking both Tower and AAP 1.2 as "Not Affected".
Comment 12 Tapas Jena 2021-04-07 06:38:26 UTC 
Lowering the impact for Tower and AAP 1.2 from Moderate to Low as the concerned function/attribute which causes this vulnerability is not in use.
Comment 14 Tapas Jena 2021-04-07 07:03:31 UTC 
Statement:

Web applications vulnerable to this flaw, where a XSS attack can be accomplished, are only those that use python-lxml to sanitize HTML input and that allow user data to be placed in the "formaction" attribute of a form button.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the package is unlikely to be exploited in the RHOSP environment, no update will be provided at this time for the RHOSP python-lxml package.

For Ansible Tower and Ansible Automation Platform,  Lowering the impact from Moderate to Low as the vulnerable function i.e. lxml HTML Cleaner and the vulnerable attribute i.e. HTML FormAction are not being used.
Comment 17 Fedora Update System 2021-06-04 01:02:54 UTC 
FEDORA-2021-4cdb0f68c7 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2021-08-24 08:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 21 Product Security DevOps Team 2021-08-24 15:35:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28957
Comment 22 errata-xmlrpc 2021-11-09 17:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
Comment 23 errata-xmlrpc 2021-11-09 17:27:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4158 https://access.redhat.com/errata/RHSA-2021:4158
Comment 24 errata-xmlrpc 2021-11-09 17:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 25 errata-xmlrpc 2021-11-09 17:28:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Note You need to log in before you can comment on or make changes to this bug.