CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

CVSS v3 7.1 HIGH
CVSS v2.0 6.8 MEDIUM

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a	Patch Third Party Advisory
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776	Patch Third Party Advisory
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0	Patch Third Party Advisory
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
https://security.gentoo.org/glsa/202208-06	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220107-0005/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5043	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:a:netapp:solidfire_enterprise_sds:-:::::::*

Configuration 5 (hide)

AND

cpe:2.3:o:netapp:hci_storage_node_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:::::::*
	cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*

History

10 Aug 2022, 20:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202208-06 -
CWE		CWE-74

09 Aug 2022, 13:19

Type	Values Removed	Values Added
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
CWE	~~CWE-74~~
CPE		cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:::::::*

25 Jul 2022, 18:17

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

16 Jun 2022, 15:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::* cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

20 Apr 2022, 00:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

10 Feb 2022, 16:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:netapp:solidfire:-:::::::* cpe:2.3:h:netapp:hci_storage_node:-:::::::* cpe:2.3:o:netapp:hci_storage_node_firmware:-:::::::* cpe:2.3:a:netapp:solidfire_enterprise_sds:-:::::::*
References	~~(DEBIAN) https://www.debian.org/security/2022/dsa-5043 -~~	(DEBIAN) https://www.debian.org/security/2022/dsa-5043 - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html - Third Party Advisory~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220107-0005/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20220107-0005/ - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ - Mailing List, Third Party Advisory

23 Jan 2022, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ -

15 Jan 2022, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ -

13 Jan 2022, 03:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2022/dsa-5043 -

10 Jan 2022, 14:10

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20220107-0005/ -

04 Jan 2022, 16:08

Type	Values Removed	Values Added
CPE		cpe:2.3:o:fedoraproject:fedora:34:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html - Third Party Advisory

30 Dec 2021, 19:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html -

26 Dec 2021, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ -

16 Dec 2021, 17:03

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.2~~	v2 : 6.8 v3 : 7.1
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::* cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:lxml:lxml::::::::
References	~~(CONFIRM) https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 -~~	(CONFIRM) https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 - Third Party Advisory
References	~~(MISC) https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a -~~	(MISC) https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a - Patch, Third Party Advisory
References	~~(MISC) https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 -~~	(MISC) https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 -~~	(MISC) https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 - Patch, Third Party Advisory

13 Dec 2021, 18:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-12-13 18:15

Updated : 2024-02-04 22:08

NVD link : CVE-2021-43818

Mitre link : CVE-2021-43818

CVE.ORG link : CVE-2021-43818

JSON object : View

Products Affected

oracle

communications_cloud_native_core_binding_support_function
zfs_storage_appliance_kit
communications_cloud_native_core_network_exposure_function
communications_cloud_native_core_policy
http_server

netapp

solidfire
solidfire_enterprise_sds
hci_storage_node_firmware
hci_storage_node

fedoraproject

fedora

lxml

lxml

debian

debian_linux

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.1 /10