ALAS-2023-1709


Amazon Linux 1 Security Advisory: ALAS-2023-1709
Advisory Release Date: 2023-03-17 15:53 Pacific
Advisory Updated Date: 2023-03-22 18:51 Pacific
Severity: Important

Issue Overview:

A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2020-27783)

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (CVE-2021-43818)


Affected Packages:

python-lxml


Issue Correction:
Run yum update python-lxml to update your system.

New Packages:
i686:
    python-lxml-debuginfo-3.2.1-4.10.amzn1.i686
    python26-lxml-3.2.1-4.10.amzn1.i686
    python27-lxml-3.2.1-4.10.amzn1.i686

noarch:
    python26-lxml-docs-3.2.1-4.10.amzn1.noarch
    python27-lxml-docs-3.2.1-4.10.amzn1.noarch

src:
    python-lxml-3.2.1-4.10.amzn1.src

x86_64:
    python-lxml-debuginfo-3.2.1-4.10.amzn1.x86_64
    python26-lxml-3.2.1-4.10.amzn1.x86_64
    python27-lxml-3.2.1-4.10.amzn1.x86_64