Описание
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as . XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances.
Отчет
This flaw is rated as Moderate because code execution is limited to the web browser scope. Following products ship affected component, however the vulnerability is not exposed in the product code. Therefore, we are reducing their impact to moderate.
- Red Hat Satellite 6.10
- Red Hat Update Infrastructure for Cloud Providers 4
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | lxml | Affected | ||
| Red Hat Ansible Automation Platform 2 | lxml | Affected | ||
| Red Hat Ansible Tower 3 | lxml | Affected | ||
| Red Hat Enterprise Linux 6 | python-lxml | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python-lxml | Out of support scope | ||
| Red Hat Enterprise Linux 8 | inkscape:flatpak/python-lxml | Not affected | ||
| Red Hat Enterprise Linux 9 | python-lxml | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-lxml | Out of support scope | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-lxml | Affected | ||
| Red Hat Enterprise Linux 8 | python39 | Fixed | RHSA-2022:1763 | 10.05.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
lxml is a library for processing XML and HTML in the Python language. ...
EPSS
8.8 High
CVSS3