bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
References
Link | Resource |
---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 | Exploit Issue Tracking |
https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm | Vendor Advisory |
Configurations
History
28 Feb 2023, 14:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:* | |
References | (MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 - Exploit, Issue Tracking | |
References | (MISC) https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm - Vendor Advisory | |
CWE | CWE-1333 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
17 Feb 2023, 12:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-16 22:15
Updated : 2024-02-04 23:14
NVD link : CVE-2020-6817
Mitre link : CVE-2020-6817
CVE.ORG link : CVE-2020-6817
JSON object : View
Products Affected
mozilla
- bleach
CWE
CWE-1333
Inefficient Regular Expression Complexity