CVE-2021-43818
lxml - security update
8.2
HIGH
CVSS 3.1
EPSS 5.4%
Description
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
How to fix CVE-2021-43818
To remediate CVE-2021-43818, upgrade the affected package to a fixed version below.
- —upgrade to 4.6.5-r0 or later
- —upgrade to 4.6.3+dfsg-0.1+deb11u1 or later
- —upgrade to 3.7.1-1+deb9u5 or later
- —upgrade to 4.3.2-1+deb10u4 or later
- —upgrade to 4.6.5 or later
- —upgrade to f2330237440df7e8f39c3ad1b1aa8852be3b27c0 or later
Is CVE-2021-43818 being exploited?
Moderate — EPSS is 5.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (6)
- from 0, < 4.6.5-r0
- from 0, < 4.6.3+dfsg-0.1+deb11u1
- from 0, < 3.7.1-1+deb9u5
- from 0, < 4.3.2-1+deb10u4
- from 0, < 4.6.5
- from 0, < f2330237440df7e8f39c3ad1b1aa8852be3b27c0, < 12fa9669007180a7bb87d990c375cf91ca5b664a | from 0, < a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c | from 0, < 4.6.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N |