Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ2MngtdnJwai1xcXBx
Cross-site scripting in Bleach
Impact
A mutation XSS affects users calling bleach.clean with all of:
svgormathin the allowed tagsporbrin allowed tagsstyle,title,noscript,script,textarea,noframes,iframe, orxmpin allowed tags- the keyword argument
strip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
-
modify
bleach.cleancalls to at least one of:- not allow the
style,title,noscript,script,textarea,noframes,iframe, orxmptag - not allow
svgormathtags - not allow
porbrtags - set
strip_comments=True
- not allow the
-
A strong Content-Security-Policy without
unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://advisory.checkmarx.net/advisory/CX-2021-4303
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
- https://cure53.de/fp170.pdf
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
- Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ2MngtdnJwai1xcXBx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 8 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-vv2x-vrpj-qqpq, CVE-2021-23980
References:
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4
- https://pypi.org/project/bleach/
- https://nvd.nist.gov/vuln/detail/CVE-2021-23980
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980
- https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Blast Radius: 29.7
Affected Packages
pypi:bleach
Dependent packages: 450Dependent repositories: 75,321
Downloads: 22,467,908 last month
Affected Version Ranges: < 3.3.0
Fixed in: 3.3.0
All affected versions: 0.1.1, 0.1.2, 0.2.1, 0.2.2, 0.3.1, 0.3.3, 0.3.4, 0.5.0, 0.5.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 2.0.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3
All unaffected versions: 3.3.0, 3.3.1, 4.0.0, 4.1.0, 5.0.0, 5.0.1, 6.0.0, 6.1.0