CVE-2021-43818
Summary
| CVE | CVE-2021-43818 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-13 18:15:00 UTC |
| Updated | 2023-11-07 03:39:00 UTC |
| Description | lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. |
Risk And Classification
Problem Types: CWE-79 | CWE-74
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Lxml | Lxml | All | All | All | All |
| Hardware | Netapp | Hci Storage Node | - | All | All | All |
| Operating System | Netapp | Hci Storage Node Firmware | - | All | All | All |
| Application | Netapp | Solidfire | - | All | All | All |
| Application | Netapp | Solidfire Enterprise Sds | - | All | All | All |
| Application | Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.1 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 22.2.0 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Zfs Storage Appliance Kit | 8.8 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: mingw-python-lxml-4.6.5-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 2871-1] lxml security update | MLIST | lists.debian.org | |
| Prepare release of 4.6.5. · lxml/lxml@a3eacbc · GitHub | MISC | github.com | |
| [SECURITY] Fedora 35 Update: python-lxml-4.6.5-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 34 Update: python-lxml-4.6.5-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| [SECURITY] Fedora 34 Update: mingw-python-lxml-4.6.5-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE-2021-43818 lxml Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 34 Update: python-lxml-4.6.5-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Cleaner: Remove SVG image data URLs since they can embed script content. · lxml/lxml@f233023 · GitHub | MISC | github.com | |
| lxml: Multiple Vulnerabilities (GLSA 202208-06) — Gentoo security | GENTOO | security.gentoo.org | |
| Debian -- Security Information -- DSA-5043-1 lxml | DEBIAN | www.debian.org | |
| Cleaner: Prevent "@import" from re-occurring in the CSS after replace… · lxml/lxml@12fa966 · GitHub | MISC | github.com | |
| FEDORA-2021-6e8fb79f90 | FEDORA | lists.fedoraproject.org | |
| HTML Cleaner allows crafted and SVG embedded scripts to pass through · Advisory · lxml/lxml · GitHub | CONFIRM | github.com | |
| [SECURITY] Fedora 35 Update: python-lxml-4.6.5-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: mingw-python-lxml-4.6.5-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159768 Oracle Enterprise Linux Security Update for ol-automation-manager (ELSA-2022-9341)
- 159797 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2022-1764)
- 159798 Oracle Enterprise Linux Security Update for python-lxml (ELSA-2022-1932)
- 159819 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-1821)
- 159823 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2022-1763)
- 178981 Debian Security Update for lxml (DLA 2871-1)
- 178995 Debian Security Update for lxml (DSA 5043-1)
- 182874 Debian Security Update for lxml (CVE-2021-43818)
- 198628 Ubuntu Security Notification for lxml Vulnerability (USN-5225-1)
- 240259 Red Hat Update for red hat software collections (RHSA-2022:1664)
- 240287 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2022:1764)
- 240302 Red Hat Update for python27:2.7 (RHSA-2022:1821)
- 240303 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2022:1763)
- 240311 Red Hat Update for python-lxml (RHSA-2022:1932)
- 240566 Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)
- 282192 Fedora Security Update for mingw (FEDORA-2021-9f9e7c5c4f)
- 282193 Fedora Security Update for mingw (FEDORA-2021-6e8fb79f90)
- 282243 Fedora Security Update for python (FEDORA-2022-96c79bf003)
- 282273 Fedora Security Update for python (FEDORA-2022-7129fbaeed)
- 296062 Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)
- 354350 Amazon Linux Security Advisory for python-lxml : ALAS2022-2022-178
- 354466 Amazon Linux Security Advisory for python-lxml : ALAS2022-2022-074
- 354762 Amazon Linux Security Advisory for python-lxml : ALAS2-2023-1956
- 354846 Amazon Linux Security Advisory for python-lxml : ALAS-2023-1709
- 355116 Amazon Linux Security Advisory for python-lxml : ALAS2023-2023-034
- 502167 Alpine Linux Security Update for py3-lxml
- 504331 Alpine Linux Security Update for py3-lxml
- 671392 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1336)
- 671415 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1360)
- 671450 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1456)
- 671453 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1435)
- 671529 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1494)
- 671531 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1513)
- 671662 EulerOS Security Update for python-lxml (EulerOS-SA-2022-1758)
- 710581 Gentoo Linux lxml Multiple Vulnerabilities (GLSA 202208-06)
- 751854 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:0803-1)
- 751858 OpenSUSE Security Update for python-lxml (openSUSE-SU-2022:0803-1)
- 751901 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:0895-1)
- 900418 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (7021)
- 901399 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (7025-1)
- 940499 AlmaLinux Security Update for python27:2.7 (ALSA-2022:1821)
- 940506 AlmaLinux Security Update for python-lxml (ALSA-2022:1932)
- 940508 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2022:1763)
- 940557 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2022:1764)
- 960252 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2022:1764)
- 960259 Rocky Linux Security Update for python27:2.7 (RLSA-2022:1821)
- 960269 Rocky Linux Security Update for python39:3.9 and python39-devel:3.9 (RLSA-2022:1763)
- 960363 Rocky Linux Security Update for python-lxml (RLSA-2022:1932)
- 960505 Rocky Linux Security Update for Satellite (RLSA-2022:5498)