Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZxaHAtY3hnYy02d21t

regular expression denial-of-service (ReDoS) in Bleach

Impact

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

Patches

3.1.4

Workarounds

do not whitelist the style attribute in bleach.clean calls
limit input string length

References

Credits

Reported by schwag09 of r2c

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-vqhp-cxgc-6wmm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZxaHAtY3hnYy02d21t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-vqhp-cxgc-6wmm, CVE-2020-6817
References:

Repository: https://github.com/mozilla/bleach
Blast Radius: 36.6

Affected Packages

pypi:bleach

Dependent packages: 450
Dependent repositories: 75,321
Downloads: 22,467,908 last month
Affected Version Ranges: < 3.1.4
Fixed in: 3.1.4
All affected versions: 0.1.1, 0.1.2, 0.2.1, 0.2.2, 0.3.1, 0.3.3, 0.3.4, 0.5.0, 0.5.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 2.0.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3
All unaffected versions: 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 4.0.0, 4.1.0, 5.0.0, 5.0.1, 6.0.0, 6.1.0