Vulnerabilities > CVE-2020-6817 - Unspecified vulnerability in Mozilla Bleach
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-E1FA96C506.NASL description Update to version 3.1.4, an upstream security release. See the [upstream changelog](https://github.com/mozilla/bleach/blob/v3.1.4/CHANGES) for details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-30 plugin id 136156 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136156 title Fedora 31 : python-bleach (2020-e1fa96c506) NASL family Fedora Local Security Checks NASL id FEDORA_2020-827B677E15.NASL description Update to version 3.1.4, an upstream security release. See the [upstream changelog](https://github.com/mozilla/bleach/blob/v3.1.4/CHANGES) for details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-30 plugin id 136153 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136153 title Fedora 30 : python-bleach (2020-827b677e15) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4C52EC3C86F311EAB5B4641C67A117D8.NASL description Bleach developers reports : bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={ last seen 2020-04-30 modified 2020-04-27 plugin id 136003 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136003 title FreeBSD : py-bleach -- regular expression denial-of-service (4c52ec3c-86f3-11ea-b5b4-641c67a117d8) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2167.NASL description A vulnerability was discovered in python-bleach, a whitelist-based HTML-sanitizing library. Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to a regular expression denial of service (ReDoS). For Debian 8 last seen 2020-04-03 modified 2020-04-02 plugin id 135102 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135102 title Debian DLA-2167-1 : python-bleach security update