CVE-2018-7753
Aliases:GHSA-m9mq-p2f9-cfqvPYSEC-2018-51
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 07 Mar 2018, 23:00
Last modified:17 Sept 2024, 01:25
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.0 (nvd)
EPSS Score
0.51% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
07 Mar 2018, 23:00
Published
Vulnerability first disclosed
17 Sept 2024, 01:25
Last Modified
Vulnerability information updated
Description
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
CVSS Metrics
- v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.51%• Percentile: 67%
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Affected Systems
- mozilla•bleach
2.1 | 2.1.1 | 2.1.2
- PyPI•bleach
≥ 2.1.0, < 2.1.3 | < c5df5789ec3471a31311f42c2d19fc2cf21b35ef | ≥ 2.1, < 2.1.3
References (7)
- https://github.com/mozilla/bleach/releases/tag/v2.1.3
- https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
- https://bugs.debian.org/892252
- https://nvd.nist.gov/vuln/detail/CVE-2018-7753
- https://github.com/mozilla/bleach
- https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2018-51.yaml
- https://github.com/advisories/GHSA-m9mq-p2f9-cfqv