CVE-2021-43818

CVSS V2 Medium 6.8 CVSS V3 High 7.1
Description
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
Overview
  • CVE ID
  • CVE-2021-43818
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-12-13T18:15:08
  • Last Modified Date
  • 2022-12-09T16:38:29
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:* 1 OR 4.6.5
AND
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:solidfire_enterprise_sds:-:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:netapp:hci_storage_node_firmware:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 6.8
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 6.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • LOW
  • Base Score
  • 7.1
  • Base Severity
  • HIGH
  • Exploitability Score
  • 2.8
  • Impact Score
  • 3.7
References
Reference URL Reference Tags
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a Patch Third Party Advisory
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 Patch Third Party Advisory
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 Patch Third Party Advisory
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202208-06
https://security.netapp.com/advisory/ntap-20220107-0005/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5043 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
History
Created Old Value New Value Data Type Notes
2022-04-20 16:58:52 Added to TrackCVE
2022-12-06 03:41:12 2021-12-13T18:15Z 2021-12-13T18:15:08 CVE Published Date updated
2022-12-06 03:41:12 2022-08-10T20:15:24 CVE Modified Date updated
2022-12-06 03:41:12 Undergoing Analysis Vulnerability Status updated
2022-12-06 03:41:13 CWE-74 Weakness Enumeration updated
2022-12-06 03:41:18 References updated
2022-12-09 17:12:56 2022-12-09T16:38:29 CVE Modified Date updated
2022-12-09 17:12:56 Undergoing Analysis Analyzed Vulnerability Status updated