Vulnerabilities > CVE-2020-6817 - Unspecified vulnerability in Mozilla Bleach

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
mozilla
nessus

Summary

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-E1FA96C506.NASL
    descriptionUpdate to version 3.1.4, an upstream security release. See the [upstream changelog](https://github.com/mozilla/bleach/blob/v3.1.4/CHANGES) for details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-04-30
    plugin id136156
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136156
    titleFedora 31 : python-bleach (2020-e1fa96c506)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-827B677E15.NASL
    descriptionUpdate to version 3.1.4, an upstream security release. See the [upstream changelog](https://github.com/mozilla/bleach/blob/v3.1.4/CHANGES) for details. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-04-30
    plugin id136153
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136153
    titleFedora 30 : python-bleach (2020-827b677e15)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4C52EC3C86F311EAB5B4641C67A117D8.NASL
    descriptionBleach developers reports : bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={
    last seen2020-04-30
    modified2020-04-27
    plugin id136003
    published2020-04-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136003
    titleFreeBSD : py-bleach -- regular expression denial-of-service (4c52ec3c-86f3-11ea-b5b4-641c67a117d8)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2167.NASL
    descriptionA vulnerability was discovered in python-bleach, a whitelist-based HTML-sanitizing library. Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to a regular expression denial of service (ReDoS). For Debian 8
    last seen2020-04-03
    modified2020-04-02
    plugin id135102
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135102
    titleDebian DLA-2167-1 : python-bleach security update