製品・ソフトウェアに関する情報

JVN脆弱性詳細

lxml におけるクロスサイトスクリプティングの脆弱性

タイトル	lxml におけるクロスサイトスクリプティングの脆弱性
概要	lxml には、クロスサイトスクリプティングの脆弱性が存在します。
想定される影響	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2021年12月13日0:00
登録日	2022年12月9日9:30
最終更新日	2022年12月9日9:30

CVSS3.0 : 重要
スコア	7.1
ベクター	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS2.0 : 警告
スコア	6.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:P

影響を受けるシステム

オラクル

Oracle Communications Cloud Native Core Network Exposure Function

Oracle Communications Cloud Native Core Policy

Oracle Communications Cloud_native Core Binding Support Function

Oracle HTTP Server

Debian

Debian GNU/Linux

Fedora Project

Fedora

NetApp

NetApp HCI Storage Node ファームウェア

NetApp SolidFire

NetApp SolidFire Enterprise SDS

lxml

lxml 4.6.5 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-43818	https://www.cve.org/CVERecord?id=CVE-2021-43818
National Vulnerability Database (NVD)
2	CVE-2021-43818	https://nvd.nist.gov/vuln/detail/CVE-2021-43818

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	名前	URL
Debian
1	[SECURITY] [DLA 2871-1] lxml security update	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
Debian Security Advisory
2	DSA-5043-1	https://www.debian.org/security/2022/dsa-5043
Fedora Update Notification
3	FEDORA-2021-6e8fb79f90	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
4	FEDORA-2021-9f9e7c5c4f	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
5	FEDORA-2022-7129fbaeed	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
6	FEDORA-2022-96c79bf003	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
GitHub
7	Cleaner: Prevent "@import" from re-occurring in the CSS after replacements, e.g. "@@importimport".	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
8	Cleaner: Remove SVG image data URLs since they can embed script content.	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
9	HTML Cleaner allows crafted and SVG embedded scripts to pass through	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
10	Prepare release of 4.6.5.	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
NetApp Advisory
11	NTAP-20220107-0005	https://security.netapp.com/advisory/ntap-20220107-0005/
Oracle Critical Patch Update
12	Oracle Critical Patch Update Advisory - April 2022	https://www.oracle.com/security-alerts/cpuapr2022.html
13	Oracle Critical Patch Update Advisory - July 2022	https://www.oracle.com/security-alerts/cpujul2022.html

その他

No	名前	URL
関連文書
1	lxml: Multiple Vulnerabilities - GLSA 202208-06	https://security.gentoo.org/glsa/202208-06

変更履歴

No	変更内容	変更日
1	[2022年12月09日] 掲載	2022年12月9日9:29

NVD脆弱性情報

CVE-2021-43818

概要	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
公表日	2021年12月14日3:15
登録日	2021年12月14日10:00
最終更新日	2024年11月21日15:29

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:lxml:lxml::::::::					4.6.5

構成2	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:34:::::::*
cpe:2.3:o:fedoraproject:fedora:35:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:a:netapp:solidfire:-:::::::*
cpe:2.3:a:netapp:solidfire_enterprise_sds:-:::::::*

構成5		以上	以下	より上	未満
cpe:2.3:o:netapp:hci_storage_node_firmware:-:::::::*
実行環境
1	cpe:2.3:h:netapp:hci_storage_node:-:::::::*

構成6	以上	以下	より上	未満
cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:::::::*

関連情報、対策とツール

No	URL	タグ
1	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a	Patch Third Party Advisory
2	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a	Patch Third Party Advisory
3	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776	Patch Third Party Advisory
4	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776	Patch Third Party Advisory
5	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0	Patch Third Party Advisory
6	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0	Patch Third Party Advisory
7	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8	Third Party Advisory
8	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8	Third Party Advisory
9	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html	Mailing List Third Party Advisory
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
17	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
18	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
19	https://security.gentoo.org/glsa/202208-06	Third Party Advisory
20	https://security.gentoo.org/glsa/202208-06	Third Party Advisory
21	https://security.netapp.com/advisory/ntap-20220107-0005/	Third Party Advisory
22	https://security.netapp.com/advisory/ntap-20220107-0005/	Third Party Advisory
23	https://www.debian.org/security/2022/dsa-5043	Third Party Advisory
24	https://www.debian.org/security/2022/dsa-5043	Third Party Advisory
25	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
26	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
27	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
28	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

共通脆弱性一覧

構成6	以上	以下	より上	未満
cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:::::::*