Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ2MngtdnJwai1xcXBx
Cross-site scripting in Bleach
Impact
A mutation XSS affects users calling bleach.clean
with all of:
svg
ormath
in the allowed tagsp
orbr
in allowed tagsstyle
,title
,noscript
,script
,textarea
,noframes
,iframe
, orxmp
in allowed tags- the keyword argument
strip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments
defaults to True
.
Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
-
modify
bleach.clean
calls to at least one of:- not allow the
style
,title
,noscript
,script
,textarea
,noframes
,iframe
, orxmp
tag - not allow
svg
ormath
tags - not allow
p
orbr
tags - set
strip_comments=True
- not allow the
-
A strong Content-Security-Policy without
unsafe-inline
andunsafe-eval
script-src
s) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://advisory.checkmarx.net/advisory/CX-2021-4303
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
- https://cure53.de/fp170.pdf
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
- Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ2MngtdnJwai1xcXBx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 8 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-vv2x-vrpj-qqpq, CVE-2021-23980
References:
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4
- https://pypi.org/project/bleach/
- https://nvd.nist.gov/vuln/detail/CVE-2021-23980
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980
- https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Blast Radius: 29.7
Affected Packages
pypi:bleach
Dependent packages: 450Dependent repositories: 75,321
Downloads: 22,467,908 last month
Affected Version Ranges: < 3.3.0
Fixed in: 3.3.0
All affected versions: 0.1.1, 0.1.2, 0.2.1, 0.2.2, 0.3.1, 0.3.3, 0.3.4, 0.5.0, 0.5.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 2.0.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3
All unaffected versions: 3.3.0, 3.3.1, 4.0.0, 4.1.0, 5.0.0, 5.0.1, 6.0.0, 6.1.0