CVE-2021-43818

HIGH
Published Dec 13, 20214y ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Dec 13, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
3.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-74
CWE-79 Cross-site Scripting Injection

Affected Products 16

VendorProductVersionRange
lxmllxml* <4.6.5
fedoraprojectfedora34any
fedoraprojectfedora35any
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any
netappsolidfire*any
netappsolidfire_enterprise_sds*any
netapphci_storage_node_firmware*any
netapphci_storage_node*any
oraclecommunications_cloud_native_core_binding_support_function22.1.3any
oraclecommunications_cloud_native_core_network_exposure_function22.1.1any
oraclecommunications_cloud_native_core_policy22.2.0any
oraclehttp_server12.2.1.3.0any
oraclehttp_server12.2.1.4.0any
oraclezfs_storage_appliance_kit8.8any

References 14

  • github.com https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
  • security.gentoo.org https://security.gentoo.org/glsa/202208-06
    Third Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20220107-0005/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2022/dsa-5043
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory