GHSA-vv2x-vrpj-qqpq
- Source
- https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json
- Aliases
- Published
- 2021-02-02T17:58:40Z
- Modified
- 2024-02-22T05:33:40.763883Z
- Details
-
Impact
A mutation XSS affects users calling
bleach.cleanwith all of:svgormathin the allowed tagsporbrin allowed tagsstyle,title,noscript,script,textarea,noframes,iframe, orxmpin allowed tags- the keyword argument
strip_comments=False
Note: none of the above tags are in the default allowed tags and
strip_commentsdefaults toTrue.Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
modify
bleach.cleancalls to at least one of:- not allow the
style,title,noscript,script,textarea,noframes,iframe, orxmptag - not allow
svgormathtags - not allow
porbrtags - set
strip_comments=True
- not allow the
A strong Content-Security-Policy without
unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://advisory.checkmarx.net/advisory/CX-2021-4303
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
- https://cure53.de/fp170.pdf
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
- Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by MichaĆ Bentkowski at Securitum
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at security@mozilla.org
- References
-
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://nvd.nist.gov/vuln/detail/CVE-2021-23980
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4
- https://pypi.org/project/bleach
Affected packages
PyPI / bleach
Package
- Name
- bleach
Affected versions
0.*
0.1
0.1.1
0.1.2
0.2
0.2.1
0.2.2
0.3
0.3.1
0.3.3
0.3.4
0.5.0
0.5.1
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2
1.2.1
1.2.2
1.4
1.4.1
1.4.2
1.4.3
1.5.0
2.*
2.0.0
2.1
2.1.1
2.1.2
2.1.3
2.1.4
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.2.0
3.2.1
3.2.2
3.2.3