Vulnerability CVE-2021-28957

Vulnerability Name:

CVE-2021-28957 (CCN-198515)

Assigned:

2021-02-17

Published:

2021-02-17

Updated:

2022-12-09

Summary:

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2021-28957

Source: cve@mitre.org
Type: Exploit, Issue Tracking, Third Party Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
lxml-cve202128957-xss(198515)

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: lxml GIT Repository
Add formaction attribute to defs.link_attrs #316

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-28957

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:lxml:lxml:4.6.2:*:*:*:*:*:*:*

AND

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7775	P	python3-lxml-4.9.1-150500.1.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3172	P	libfreebl3-3.45-58.31.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94802	P	python3-lxml-4.7.1-3.7.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6201	P	Security update for python-lxml (Moderate)	2022-03-17
oval:org.opensuse.security:def:93487	P	(Important)	2022-03-10
oval:org.opensuse.security:def:101660	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:119336	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:94275	P	(Important)	2022-03-10
oval:org.opensuse.security:def:100094	P	(Important)	2022-03-10
oval:org.opensuse.security:def:118841	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:93638	P	(Important)	2022-03-10
oval:org.opensuse.security:def:102148	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:99225	P	(Important)	2022-03-10
oval:org.opensuse.security:def:119519	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:94482	P	(Important)	2022-03-10
oval:org.opensuse.security:def:93169	P	(Important)	2022-03-10
oval:org.opensuse.security:def:100432	P	(Important)	2022-03-10
oval:org.opensuse.security:def:119031	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:93849	P	(Important)	2022-03-10
oval:org.opensuse.security:def:968	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:99499	P	(Important)	2022-03-10
oval:org.opensuse.security:def:119704	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:93327	P	(Important)	2022-03-10
oval:org.opensuse.security:def:100766	P	(Important)	2022-03-10
oval:org.opensuse.security:def:119142	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:94061	P	(Important)	2022-03-10
oval:org.opensuse.security:def:1588	P	Security update for python-lxml (Important)	2022-03-10
oval:org.opensuse.security:def:99761	P	(Important)	2022-03-10
oval:org.opensuse.security:def:113307	P	python36-translate-toolkit-3.3.6-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113208	P	python-lxml-doc-4.6.3-3.2 on GA media (Moderate)	2022-01-17
oval:com.redhat.rhsa:def:20214160	P	RHSA-2021:4160: python39:3.9 and python39-devel:3.9 security update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214162	P	RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214151	P	RHSA-2021:4151: python27:2.7 security update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214158	P	RHSA-2021:4158: python-lxml security update (Moderate)	2021-11-09
oval:org.opensuse.security:def:106628	P	python-lxml-doc-4.6.3-3.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106717	P	python36-translate-toolkit-3.3.6-1.3 on GA media (Moderate)	2021-10-01

BACK