WS-2021-0011 (Medium) detected in bleach-3.2.1-py2.py3-none-any.whl
mend-bolt-for-github opened this issue · 0 comments
WS-2021-0011 - Medium Severity Vulnerability
Vulnerable Library - bleach-3.2.1-py2.py3-none-any.whl
An easy safelist-based HTML-sanitizing tool.
Library home page: https://files.pythonhosted.org/packages/03/c8/b7ed0dfea5cb287907bd22c5ff7c3ed0a65b346f2a4cf916eb9e83be66b3/bleach-3.2.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/backend/requirements.txt
Dependency Hierarchy:
- streamlit-0.55.2-py2.py3-none-any.whl (Root Library)
- pydeck-0.5.0-py2.py3-none-any.whl
- ipywidgets-7.5.1-py2.py3-none-any.whl
- widgetsnbextension-3.5.1-py2.py3-none-any.whl
- notebook-5.7.10-py2.py3-none-any.whl
- nbconvert-5.6.1-py2.py3-none-any.whl
- ❌ bleach-3.2.1-py2.py3-none-any.whl (Vulnerable Library)
- nbconvert-5.6.1-py2.py3-none-any.whl
- notebook-5.7.10-py2.py3-none-any.whl
- widgetsnbextension-3.5.1-py2.py3-none-any.whl
- ipywidgets-7.5.1-py2.py3-none-any.whl
- pydeck-0.5.0-py2.py3-none-any.whl
Found in base branch: main
Vulnerability Details
In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution (bleach): 3.3.0
Direct dependency fix Resolution (streamlit): 0.56.0
Step up your Open Source Security Game with Mend here