pysec - pysec-2021-865

pysec-2021-865

Vulnerability from pysec

Published

2021-02-02 17:58

Modified

2022-01-05 02:16

Details

In Mozilla Bleach before 3.3.0, a mutation XSS affects users calling bleach.clean with math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False.

Impacted products

Name	purl
bleach	pkg:pypi/bleach

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bleach",
        "purl": "pkg:pypi/bleach"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "79b7a3c5e56a09d1d323a5006afa59b56162eb13"
            }
          ],
          "repo": "https://github.com/mozilla/bleach",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.1.1",
        "0.1.2",
        "0.2",
        "0.2.1",
        "0.2.2",
        "0.3",
        "0.3.1",
        "0.3.3",
        "0.3.4",
        "0.5.0",
        "0.5.1",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.5.0",
        "2.0.0",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.4",
        "3.1.5",
        "3.2.0",
        "3.2.1",
        "3.2.2",
        "3.2.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23980",
    "GHSA-vv2x-vrpj-qqpq"
  ],
  "details": "In Mozilla Bleach before 3.3.0, a mutation XSS affects users calling bleach.clean with math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False.",
  "id": "PYSEC-2021-865",
  "modified": "2022-01-05T02:16:13.001009Z",
  "published": "2021-02-02T17:58:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://advisory.checkmarx.net/advisory/CX-2021-4303"
    },
    {
      "type": "REPORT",
      "url": "ttps://bugzilla.mozilla.org/show_bug.cgi?id=1689399"
    },
    {
      "type": "FIX",
      "url": "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13"
    }
  ]
}

ghsa-vv2x-vrpj-qqpq

Vulnerability from github

Published

2021-02-02 17:58

Modified

2025-03-20 18:50

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Cross-site scripting in Bleach

Details

Impact

A mutation XSS affects users calling bleach.clean with all of:

svg or math in the allowed tags
p or br in allowed tags
style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags
the keyword argument strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

Patches

Users are encouraged to upgrade to bleach v3.3.0 or greater.

Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.

Workarounds

modify bleach.clean calls to at least one of:
not allow the style, title, noscript, script, textarea, noframes, iframe, or xmp tag
not allow svg or math tags
not allow p or br tags
set strip_comments=True
A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
https://advisory.checkmarx.net/advisory/CX-2021-4303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
https://cure53.de/fp170.pdf

Credits

Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at security@mozilla.org

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bleach"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-02T15:54:20Z",
    "nvd_published_at": "2023-02-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact                                                                                                                                                                                                                                                    \n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* `svg` or `math` in the allowed tags\n* `p` or `br` in allowed tags\n* `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` in allowed tags\n* the keyword argument `strip_comments=False`\n\nNote: none of the above tags are in the default allowed tags and `strip_comments` defaults to `True`.\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.3.0 or greater.\n\nNote: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.\n\n### Workarounds\n\n* modify `bleach.clean` calls to at least one of:\n  * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag\n  * not allow `svg` or `math` tags\n  * not allow `p` or `br` tags\n  * set `strip_comments=True`\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1689399\n* https://advisory.checkmarx.net/advisory/CX-2021-4303\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980\n* https://cure53.de/fp170.pdf\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n* Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by [Micha\u0142 Bentkowski](https://twitter.com/SecurityMB) at Securitum\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)",
  "id": "GHSA-vv2x-vrpj-qqpq",
  "modified": "2025-03-20T18:50:31Z",
  "published": "2021-02-02T17:58:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23980"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13"
    },
    {
      "type": "WEB",
      "url": "https://advisory.checkmarx.net/advisory/CX-2021-4303"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1689399"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980"
    },
    {
      "type": "WEB",
      "url": "https://cure53.de/fp170.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mozilla/bleach"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2021-865.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/bleach"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross-site scripting in Bleach"
}

CVE-2021-23980 (GCVE-0-2021-23980)

Vulnerability from cvelistv5

Published

2023-02-16 00:00

Modified

2025-03-19 15:18

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

mutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False

Summary

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

References

URL

Tags

	https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
	https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980

Impacted products

	Vendor	Product	Version
	Mozilla	Mozilla Bleach	Version: unspecified < 3.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:14:09.990Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-23980",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-19T15:18:14.680659Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-19T15:18:23.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mozilla Bleach",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "3.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": " mutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-16T00:00:00.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq"
        },
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2021-23980",
    "datePublished": "2023-02-16T00:00:00.000Z",
    "dateReserved": "2021-01-13T00:00:00.000Z",
    "dateUpdated": "2025-03-19T15:18:23.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2021-865

Vulnerability from pysec

ghsa-vv2x-vrpj-qqpq

Vulnerability from github

Impact

Patches

Workarounds

References

Credits

For more information

CVE-2021-23980 (GCVE-0-2021-23980)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature