CVE-2021-43818

CVE-2021-43818

Name

CVE-2021-43818

Description

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
MISC	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
CONFIRM	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
MISC	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20220107-0005/
Third Party Advisory	https://www.debian.org/security/2022/dsa-5043
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html

Type

URI

MISC

https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0

MISC

https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776

CONFIRM

https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8

MISC

https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220107-0005/

Third Party Advisory

https://www.debian.org/security/2022/dsa-5043

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:lxml:lxml::::::::`	lxml	>= None	< 4.6.5

CPE URI

Source package

Min version

Max version

cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*

lxml

>= None

< 4.6.5

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-lxml	edge-main	4.6.5-r0	None	fixed
py3-lxml	edge-community	4.6.5-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
py3-lxml	3.22-main	4.6.5-r0	None	fixed
py3-lxml	3.21-main	4.6.5-r0	None	fixed
py3-lxml	3.20-main	4.6.5-r0	None	fixed
py3-lxml	3.19-main	4.6.5-r0	None	fixed
py3-lxml	3.18-main	4.6.5-r0	None	fixed
py3-lxml	3.17-main	4.6.5-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

py3-lxml

edge-main

4.6.5-r0

None

fixed

py3-lxml

edge-community