fedora-python lxml_html_clean up to 0.3.x incomplete blacklist

Summaryinfo

A vulnerability was found in fedora-python lxml_html_clean up to 0.3.x. It has been rated as critical. This impacts the function lxml_html_clean. This manipulation causes incomplete blacklist. This vulnerability is handled as CVE-2024-52595. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical was found in fedora-python lxml_html_clean up to 0.3.x. Affected by this vulnerability is the function lxml_html_clean. The manipulation with an unknown input leads to a incomplete blacklist vulnerability. The CWE definition for the vulnerability is CWE-184. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as ``, `` and ``. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like ``, `` and ``.

The advisory is shared at github.com. This vulnerability is known as CVE-2024-52595 since 11/14/2024. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1562.006 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 256762 (Linux Distros Unpatched Vulnerability : CVE-2024-52595), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 0.4.0 eliminates this vulnerability. Applying the patch c5d816f86eb3707d72a8ecf5f3823e0daa1b3808 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (256762). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Programming Language Software

Vendor

• fedora-python

Name

• lxml_html_clean

Version

• 0.1
• 0.2
• 0.3

License

• open-source

Website

• Product: https://github.com/fedora-python/lxml_html_clean/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion