CVE-2021-43818: HTML Cleaner allows crafted and SVG embedded scripts to pass through
First published: Sun Dec 12 2021(Updated: )
### Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5. ### Patches The issue has been resolved in lxml 4.6.5. ### Workarounds None. ### References The issues are tracked under the report IDs GHSL-2021-1037 and GHSL-2021-1038.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-lxml | <0:4.2.3-4.el8 | 0:4.2.3-4.el8 |
| redhat/python-lxml | <0:4.7.1-1.el8 | 0:4.7.1-1.el8 |
| redhat/rh-python38-python-lxml | <0:4.4.1-8.el7 | 0:4.4.1-8.el7 |
| debian/lxml | 4.3.2-1+deb10u4 4.6.3+dfsg-0.1+deb11u1 4.9.2-1 4.9.3-1 | |
| Lxml Lxml | <4.6.5 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Netapp Solidfire | ||
| Netapp Solidfire Enterprise Sds | ||
| Netapp Hci Storage Node Firmware | ||
| Netapp Hci Storage Node | ||
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| redhat/python-lxml | <4.6.5 | 4.6.5 |
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 | |
| pip/lxml | <4.6.5 | 4.6.5 |
| All of | ||
| Netapp Hci Storage Node Firmware | ||
| Netapp Hci Storage Node |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-43818 https://nvd.nist.gov/vuln/detail/CVE-2021-43818 https://github.com/lxml/lxml/blob/lxml-4.6.5/CHANGES.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=2032569
- https://access.redhat.com/errata/RHSA-2022:1763
- https://access.redhat.com/errata/RHSA-2022:1764
- https://access.redhat.com/errata/RHSA-2022:1821
- https://access.redhat.com/errata/RHSA-2022:1932
- https://access.redhat.com/errata/RHSA-2022:5498
- https://access.redhat.com/errata/RHSA-2022:1664
- https://access.redhat.com/security/cve/cve-2021-43818
- https://security-tracker.debian.org/tracker/CVE-2021-43818
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001885
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
- https://security.gentoo.org/glsa/202208-06
- https://security.netapp.com/advisory/ntap-20220107-0005/
- https://www.debian.org/security/2022/dsa-5043
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2032571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2032572
- https://github.com/pulp/pulp/blob/308d164420ac489e030a7a6488ff6712d7de44f6/playpen/metadata/updatemetadata_lxml.py#L7
- https://github.com/ansible/tower/blob/a206d7985124960a4e408a0c647617dbb1776433/requirements/requirements.txt#L196
- https://github.com/ansible/ansible/blob/2cbfd1e350cbe1ca195d33306b5a9628667ddda8/lib/ansible/plugins/netconf/__init__.py#L43
- https://exchange.xforce.ibmcloud.com/vulnerabilities/215122
- https://www.ibm.com/support/pages/node/7150684 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://nvd.nist.gov/vuln/detail/CVE-2021-43818
- https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44
- https://security.netapp.com/advisory/ntap-20220107-0005
- https://github.com/advisories/GHSA-55x5-fj6c-h6m8 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-43818?
CVE-2021-43818 is a vulnerability in python-lxml's HTML Cleaner component that allows an attacker to trigger script execution in clients.
How does CVE-2021-43818 affect python-lxml?
CVE-2021-43818 affects python-lxml versions prior to 4.6.5.
What is the severity of CVE-2021-43818?
CVE-2021-43818 has a severity rating of 8.8 (High).
How can the CVE-2021-43818 vulnerability be fixed?
To fix the CVE-2021-43818 vulnerability, upgrade python-lxml to version 4.6.5 or higher.
Where can I find more information about CVE-2021-43818?
You can find more information about CVE-2021-43818 at the following references: [link1], [link2], [link3].
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2021-43818
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-55x5-fj6c-h6m8
- agent/author
- agent/references
- agent/last-modified-date
- agent/tags
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- package-manager/redhat
- package-manager/debian
- vendor/lxml
- canonical/lxml lxml
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp solidfire
- canonical/netapp solidfire enterprise sds
- canonical/netapp hci storage node firmware
- canonical/netapp hci storage node
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up8 if01
- package-manager/pip