Vulnerability Description
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lxml | Lxml | < 4.6.5 |
| Fedoraproject | Fedora | 34 |
| Debian | Debian Linux | 9.0 |
| Netapp | Solidfire | - |
| Netapp | Solidfire Enterprise Sds | - |
| Netapp | Hci Storage Node Firmware | - |
| Netapp | Hci Storage Node | - |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.1 |
| Oracle | Communications Cloud Native Core Policy | 22.2.0 |
| Oracle | Http Server | 12.2.1.3.0 |
| Oracle | Zfs Storage Appliance Kit | 8.8 |
Related Weaknesses (CWE)
References
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664aPatchThird Party Advisory
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#difPatchThird Party Advisory
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0PatchThird Party Advisory
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-06Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220107-0005/Third Party Advisory
- https://www.debian.org/security/2022/dsa-5043Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664aPatchThird Party Advisory
FAQ
What is CVE-2021-43818?
CVE-2021-43818 is a vulnerability with a CVSS score of 8.2 (HIGH). lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content ...
How severe is CVE-2021-43818?
CVE-2021-43818 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43818?
Check the references section above for vendor advisories and patch information. Affected products include: Lxml Lxml, Fedoraproject Fedora, Debian Debian Linux, Netapp Solidfire, Netapp Solidfire Enterprise Sds.