CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz #18

mend-for-github-com · 2020-11-30T01:00:29Z

CVE-2020-27783 - Medium Severity Vulnerability

Vulnerable Libraries - lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz

lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/03/06/eb9f000882f671a2d494342c1fe93b1c8b18fb04420bb611aeaa3298ef17/lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: clusterfuzz/src/python/bot/tasks

Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/platform_requirements.txt

Dependency Hierarchy:

❌ lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

lxml-3.3.5.tar.gz

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/ae/a8/ad6c2350c65b357faf9a06c7428b5c6159b01bd3014eed93a75513843063/lxml-3.3.5.tar.gz

Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build

Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project

Dependency Hierarchy:

❌ lxml-3.3.5.tar.gz (Vulnerable Library)

Vulnerability Details

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Publish Date: 2020-12-03

URL: CVE-2020-27783

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1901633

Release Date: 2020-10-27

Fix Resolution: 4.6.1

mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Nov 30, 2020

mend-for-github-com bot changed the title ~~CVE-2020-27783 (High) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz~~ CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz Dec 23, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz #18

CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz #18

mend-for-github-com bot commented Nov 30, 2020 •

edited

CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz #18

CVE-2020-27783 (Medium) detected in lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz #18

Comments

mend-for-github-com bot commented Nov 30, 2020 • edited

CVE-2020-27783 - Medium Severity Vulnerability

mend-for-github-com bot commented Nov 30, 2020 •

edited