Open mend-for-github-com[bot] opened 4 months ago
An easy safelist-based HTML-sanitizing tool.
Library home page: https://files.pythonhosted.org/packages/9a/1e/7d6cb3b27cd2c490558349ca5d5cc05b390b017da1c704cac807ac8bd9fb/bleach-3.1.5-py2.py3-none-any.whl
Path to dependency file: /python/spec/fixtures/projects/unresolvable/requirements.txt
Path to vulnerable library: /python/spec/fixtures/projects/unresolvable/requirements.txt,/python/spec/fixtures/projects/unresolvable/requirements.txt
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Dependency Hierarchy: - :x: **bleach-3.1.5-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: main
In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: 3.3.0
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.
An easy safelist-based HTML-sanitizing tool.
Library home page: https://files.pythonhosted.org/packages/9a/1e/7d6cb3b27cd2c490558349ca5d5cc05b390b017da1c704cac807ac8bd9fb/bleach-3.1.5-py2.py3-none-any.whl
Path to dependency file: /python/spec/fixtures/projects/unresolvable/requirements.txt
Path to vulnerable library: /python/spec/fixtures/projects/unresolvable/requirements.txt,/python/spec/fixtures/projects/unresolvable/requirements.txt
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0011
### Vulnerable Library - bleach-3.1.5-py2.py3-none-any.whlAn easy safelist-based HTML-sanitizing tool.
Library home page: https://files.pythonhosted.org/packages/9a/1e/7d6cb3b27cd2c490558349ca5d5cc05b390b017da1c704cac807ac8bd9fb/bleach-3.1.5-py2.py3-none-any.whl
Path to dependency file: /python/spec/fixtures/projects/unresolvable/requirements.txt
Path to vulnerable library: /python/spec/fixtures/projects/unresolvable/requirements.txt,/python/spec/fixtures/projects/unresolvable/requirements.txt
Dependency Hierarchy: - :x: **bleach-3.1.5-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: 3.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.