-
Notifications
You must be signed in to change notification settings - Fork 319
/
GHSA-vv2x-vrpj-qqpq.json
102 lines (102 loc) · 4.48 KB
/
GHSA-vv2x-vrpj-qqpq.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
{
"schema_version": "1.4.0",
"id": "GHSA-vv2x-vrpj-qqpq",
"modified": "2024-09-13T15:15:58Z",
"published": "2021-02-02T17:58:40Z",
"aliases": [
"CVE-2021-23980"
],
"summary": "Cross-site scripting in Bleach",
"details": "### Impact \n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* `svg` or `math` in the allowed tags\n* `p` or `br` in allowed tags\n* `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags\n* the keyword argument `strip_comments=False`\n\nNote: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`.\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.3.0 or greater.\n\nNote: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.\n\n### Workarounds\n\n* modify `bleach.clean` calls to at least one of:\n * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag\n * not allow `svg` or `math` tags\n * not allow `p` or `br` tags\n * set `strip_comments=True`\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1689399\n* https://advisory.checkmarx.net/advisory/CX-2021-4303\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980\n* https://cure53.de/fp170.pdf\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n* Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Michał Bentkowski](https://twitter.com/SecurityMB) at Securitum\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bleach"
},
"ecosystem_specific": {
"affected_functions": [
"bleach.clean"
]
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23980"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13"
},
{
"type": "WEB",
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4303"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1689399"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980"
},
{
"type": "WEB",
"url": "https://cure53.de/fp170.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/bleach"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2021-865.yaml"
},
{
"type": "WEB",
"url": "https://pypi.org/project/bleach"
}
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2021-02-02T15:54:20Z",
"nvd_published_at": "2023-02-16T22:15:00Z"
}
}