CVE-2021-43818: XSS
First published: Sun Dec 12 2021(Updated: )
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-lxml | <4.6.5 | 4.6.5 |
| redhat/python-lxml | <0:4.2.3-4.el8 | 0:4.2.3-4.el8 |
| redhat/python-lxml | <0:4.7.1-1.el8 | 0:4.7.1-1.el8 |
| redhat/rh-python38-python-lxml | <0:4.4.1-8.el7 | 0:4.4.1-8.el7 |
| debian/lxml | 4.3.2-1+deb10u4 4.6.3+dfsg-0.1+deb11u1 4.9.2-1 4.9.3-1 | |
| Lxml Lxml | <4.6.5 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Netapp Solidfire | ||
| Netapp Solidfire Enterprise Sds | ||
| Netapp Hci Storage Node Firmware | ||
| Netapp Hci Storage Node | ||
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-43818
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001885
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
- https://security.gentoo.org/glsa/202208-06
- https://security.netapp.com/advisory/ntap-20220107-0005/
- https://www.debian.org/security/2022/dsa-5043
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2032571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2032572
- https://github.com/pulp/pulp/blob/308d164420ac489e030a7a6488ff6712d7de44f6/playpen/metadata/updatemetadata_lxml.py#L7
- https://github.com/ansible/tower/blob/a206d7985124960a4e408a0c647617dbb1776433/requirements/requirements.txt#L196
- https://github.com/ansible/ansible/blob/2cbfd1e350cbe1ca195d33306b5a9628667ddda8/lib/ansible/plugins/netconf/__init__.py#L43
- https://access.redhat.com/errata/RHSA-2022:1664
- https://access.redhat.com/errata/RHSA-2022:1763
- https://access.redhat.com/errata/RHSA-2022:1764
- https://access.redhat.com/errata/RHSA-2022:1821
- https://access.redhat.com/errata/RHSA-2022:1932
- https://access.redhat.com/security/cve/cve-2021-43818
- https://access.redhat.com/errata/RHSA-2022:5498
- https://bugzilla.redhat.com/show_bug.cgi?id=2032569
- https://www.cve.org/CVERecord?id=CVE-2021-43818 https://nvd.nist.gov/vuln/detail/CVE-2021-43818 https://github.com/lxml/lxml/blob/lxml-4.6.5/CHANGES.txt
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-43818?
CVE-2021-43818 is a vulnerability in python-lxml's HTML Cleaner component that allows an attacker to trigger script execution in clients.
How does CVE-2021-43818 affect python-lxml?
CVE-2021-43818 affects python-lxml versions prior to 4.6.5.
What is the severity of CVE-2021-43818?
CVE-2021-43818 has a severity rating of 8.8 (High).
How can the CVE-2021-43818 vulnerability be fixed?
To fix the CVE-2021-43818 vulnerability, upgrade python-lxml to version 4.6.5 or higher.
Where can I find more information about CVE-2021-43818?
You can find more information about CVE-2021-43818 at the following references: [link1], [link2], [link3].
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2021-43818
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/lxml
- canonical/lxml lxml
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp solidfire
- canonical/netapp solidfire enterprise sds
- canonical/netapp hci storage node firmware
- canonical/netapp hci storage node
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- package-manager/redhat
- package-manager/debian