CVE-2018-7753

Summary

CVE	CVE-2018-7753
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-03-07 23:29:00 UTC
Updated	2018-03-29 13:50:00 UTC
Description	An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mozilla	Bleach	2.1	All	All	All
Application	Mozilla	Bleach	2.1.1	All	All	All
Application	Mozilla	Bleach	2.1.2	All	All	All
Application	Mozilla	Bleach	2.1	All	All	All
Application	Mozilla	Bleach	2.1.1	All	All	All
Application	Mozilla	Bleach	2.1.2	All	All	All

References

Reference	Source	Link	Tags
#892252 - python-bleach: CVE-2018-7753: URI values with character entities not properly sanitized - Debian Bug report logs	MISC	bugs.debian.org	Third Party Advisory
Merge pull request #356 from willkg/fix-entities · mozilla/bleach@c5df578 · GitHub	MISC	github.com	Patch, Third Party Advisory
Release v2.1.3: Version 2.1.3 (March 5th, 2018) · mozilla/bleach · GitHub	MISC	github.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

980991 Python (pip) Security Update for bleach (GHSA-m9mq-p2f9-cfqv)