Bug 1118088 (CVE-2018-19787) - VUL-1: CVE-2018-19787: python-lxml: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks
Summary: VUL-1: CVE-2018-19787: python-lxml: lxml/html/clean.py in the lxml.html.clean...
Status: RESOLVED FIXED
Alias: CVE-2018-19787
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/220014/
Whiteboard: CVSSv3.1:SUSE:CVE-2018-19787:5.4:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-03 07:28 UTC by Marcus Meissner
Modified: 2024-06-13 15:34 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-12-03 07:28:11 UTC 
CVE-2018-19787

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19787
http://www.cvedetails.com/cve/CVE-2018-19787/
Comment 2 Marcus Meissner 2018-12-03 08:04:32 UTC 
The testsuite was adjusted to cover the tests.
Comment 7 Swamp Workflow Management 2022-03-10 20:20:05 UTC 
openSUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-lxml-4.7.1-3.7.1
openSUSE Leap 15.3 (src):    python-lxml-4.7.1-3.7.1
Comment 8 Swamp Workflow Management 2022-03-10 20:21:49 UTC 
SUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Manager Retail Branch Server 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Manager Proxy 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python-lxml-4.7.1-3.7.1
SUSE Enterprise Storage 7 (src):    python-lxml-4.7.1-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-03-17 20:17:21 UTC 
SUSE-SU-2022:0895-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-lxml-3.6.1-8.5.1
SUSE OpenStack Cloud 8 (src):    python-lxml-3.6.1-8.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-lxml-3.6.1-8.5.1
HPE Helion Openstack 8 (src):    python-lxml-3.6.1-8.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-05-04 19:17:52 UTC 
SUSE-SU-2022:1536-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1184177,1196249,1196877,1197279,1197417,1197637,1198556
CVE References: CVE-2018-19787,CVE-2021-28957,CVE-2022-0778,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941,CVE-2022-24302
JIRA References: 
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3004-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-05-18 19:16:10 UTC 
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970
JIRA References: SOC-11620,SOC-11621
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Thomas Leroy 2024-05-07 14:32:05 UTC 
All done, closing.