CVE-2021-43818: 
Python vulnerability analysis and mitigation

CVE-2021-43818 affects lxml, a Python library for processing XML and HTML. Prior to version 4.6.5, the HTML Cleaner in lxml.html contained a vulnerability that allows certain crafted script content to pass through, as well as script content in SVG files embedded using data URIs. The vulnerability was discovered in November 2021 and publicly disclosed on December 12, 2021 (GitHub Advisory).

The vulnerability stems from two main issues in the HTML Cleaner component: improper sanitization of inline style attributes and inadequate filtering of data URL images. The HTML Cleaner failed to properly sanitize data URLs and style attributes, allowing potential bypass of security controls. The vulnerability received a CVSS v3.1 base score of 7.1 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

Successful exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, potentially resulting in the disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects applications that employ the HTML cleaner in security-relevant contexts (NetApp Advisory).

The vulnerability was patched in lxml version 4.6.5. Users should upgrade to this version or later to receive the fix. There are no known workarounds available. The fix includes improvements to the sanitization of style attributes and proper handling of SVG image data URLs (GitHub Advisory).

Multiple vendors and distributions responded to this vulnerability by releasing security advisories and patches, including Debian, Fedora, Oracle, and NetApp. Debian released security updates for multiple versions of their distribution (Debian Advisory), while Fedora provided fixes for both their main Python package and MinGW builds (Fedora Update).