CVE-2021-43818: HTML Cleaner allows crafted and SVG embedded scripts to pass through

Published Dec 12, 2021
·
Updated

Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs.

Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5.

Patches The issue has been resolved in lxml 4.6.5.

Workarounds None.

References The issues are tracked under the report IDs GHSL-2021-1037 and GHSL-2021-1038.

Other sources

lxml could allow a remote attacker to bypass security restrictions, caused by a flaw in HTML Cleaner in lxml.html. By sending a specially-crafted script content, an attacker could exploit this vulnerability to allow crafted and SVG embedded scripts to pass through.

IBM

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src="">. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances.

Affected Software

25 affected componentsFixes available
redhat/python-lxml<0:4.2.3-4.el8
0:4.2.3-4.el8
redhat/python-lxml<0:4.7.1-1.el8
0:4.7.1-1.el8
redhat/rh-python38-python-lxml<0:4.4.1-8.el7
0:4.4.1-8.el7
debian/lxml
4.3.2-1+deb10u44.6.3+dfsg-0.1+deb11u14.9.2-14.9.3-1
redhat/python-lxml<4.6.5
4.6.5
pip/lxml<4.6.5
4.6.5
IBM QRadar SIEM<=7.5 - 7.5.0 UP8 IF01
lxml lxml<4.6.5
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
NetApp Solidfire
NetApp Solidfire Enterprise Sds
All of the following
NetApp Hci Storage Node Firmware
NetApp Hci Storage Node
Oracle Communications Cloud Native Core Binding Support Function=22.1.3
Oracle Communications Cloud Native Core Network Exposure Function=22.1.1
Oracle Communications Cloud Native Core Policy=22.2.0
Oracle HTTP Server=12.2.1.3.0
Oracle HTTP Server=12.2.1.4.0
Oracle ZFS Storage Appliance Kit=8.8
NetApp Hci Storage Node Firmware
NetApp Hci Storage Node

Remediation

Patch Available

https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a

Patch Available

https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776

Patch Available

https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Information

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Event History

Dec 12, 2021
CVE Published
12:00 AM
Dec 13, 2021
CVE Published
via MITRE·06:05 PM
Data Sourced
via MITRE·06:05 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·06:14 PM
Dec 14, 2021
Data Sourced
via Red Hat·06:02 PM
DescriptionSeverityAffected Software
Dec 18, 2021
Data Sourced
10:45 AM
SeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-43818?

CVE-2021-43818 is a vulnerability in python-lxml's HTML Cleaner component that allows an attacker to trigger script execution in clients.

2

How does CVE-2021-43818 affect python-lxml?

CVE-2021-43818 affects python-lxml versions prior to 4.6.5.

3

What is the severity of CVE-2021-43818?

CVE-2021-43818 has a severity rating of 8.8 (High).

4

How can the CVE-2021-43818 vulnerability be fixed?

To fix the CVE-2021-43818 vulnerability, upgrade python-lxml to version 4.6.5 or higher.

5

Where can I find more information about CVE-2021-43818?

You can find more information about CVE-2021-43818 at the following references: [link1], [link2], [link3].

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203