Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Published

2021-12-13T18:15:08.387

Last Modified

2024-11-21T06:29:51.497

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-74
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lxml	lxml	< 4.6.5	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	netapp	solidfire	-	Yes
Application	netapp	solidfire_enterprise_sds	-	Yes
Operating System	netapp	hci_storage_node_firmware	-	Yes
Hardware	netapp	hci_storage_node	-	No
Application	oracle	communications_cloud_native_core_binding_support_function	22.1.3	Yes
Application	oracle	communications_cloud_native_core_network_exposure_function	22.1.1	Yes
Application	oracle	communications_cloud_native_core_policy	22.2.0	Yes
Application	oracle	http_server	12.2.1.3.0	Yes
Application	oracle	http_server	12.2.1.4.0	Yes
Application	oracle	zfs_storage_appliance_kit	8.8	Yes

References

https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a Patch, Third Party Advisory ([email protected])
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 Patch, Third Party Advisory ([email protected])
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 Patch, Third Party Advisory ([email protected])
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ ([email protected])
https://security.gentoo.org/glsa/202208-06 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220107-0005/ Third Party Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5043 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-06 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220107-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5043 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)