Описание
Cross-site scripting in Bleach
Impact
A mutation XSS affects users calling bleach.clean with all of:
svgormathin the allowed tagsporbrin allowed tagsstyle,title,noscript,script,textarea,noframes,iframe, orxmpin allowed tags- the keyword argument
strip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
-
modify
bleach.cleancalls to at least one of:- not allow the
style,title,noscript,script,textarea,noframes,iframe, orxmptag - not allow
svgormathtags - not allow
porbrtags - set
strip_comments=True
- not allow the
-
A strong Content-Security-Policy without
unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://advisory.checkmarx.net/advisory/CX-2021-4303
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
- https://cure53.de/fp170.pdf
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
- Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at security@mozilla.org
Ссылки
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://nvd.nist.gov/vuln/detail/CVE-2021-23980
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13
- https://advisory.checkmarx.net/advisory/CX-2021-4303
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4
- https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2021-865.yaml
- https://pypi.org/project/bleach
Пакеты
bleach
< 3.3.0
3.3.0
Связанные уязвимости
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
A mutation XSS affects users calling bleach.clean with all of: svg or ...