First published: Sun Dec 12 2021(Updated: )
### Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5. ### Patches The issue has been resolved in lxml 4.6.5. ### Workarounds None. ### References The issues are tracked under the report IDs GHSL-2021-1037 and GHSL-2021-1038.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python-lxml | <0:4.2.3-4.el8 | 0:4.2.3-4.el8 |
redhat/python-lxml | <0:4.7.1-1.el8 | 0:4.7.1-1.el8 |
redhat/rh-python38-python-lxml | <0:4.4.1-8.el7 | 0:4.4.1-8.el7 |
debian/lxml | 4.3.2-1+deb10u4 4.6.3+dfsg-0.1+deb11u1 4.9.2-1 4.9.3-1 | |
Lxml Lxml | <4.6.5 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Solidfire | ||
Netapp Solidfire Enterprise Sds | ||
Netapp Hci Storage Node Firmware | ||
Netapp Hci Storage Node | ||
Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
Oracle Communications Cloud Native Core Policy | =22.2.0 | |
Oracle HTTP Server | =12.2.1.3.0 | |
Oracle HTTP Server | =12.2.1.4.0 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
redhat/python-lxml | <4.6.5 | 4.6.5 |
IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 | |
pip/lxml | <4.6.5 | 4.6.5 |
All of | ||
Netapp Hci Storage Node Firmware | ||
Netapp Hci Storage Node | ||
<4.6.5 | ||
=34 | ||
=35 | ||
=9.0 | ||
=10.0 | ||
=11.0 | ||
All of | ||
=22.1.3 | ||
=22.1.1 | ||
=22.2.0 | ||
=12.2.1.3.0 | ||
=12.2.1.4.0 | ||
=8.8 |
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-43818 is a vulnerability in python-lxml's HTML Cleaner component that allows an attacker to trigger script execution in clients.
CVE-2021-43818 affects python-lxml versions prior to 4.6.5.
CVE-2021-43818 has a severity rating of 8.8 (High).
To fix the CVE-2021-43818 vulnerability, upgrade python-lxml to version 4.6.5 or higher.
You can find more information about CVE-2021-43818 at the following references: [link1], [link2], [link3].