CVE-2018-7753

NameCVE-2018-7753
DescriptionAn issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs892252

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bleach (PTS)buster, buster (security)3.1.2-0+deb10u2fixed
bullseye3.2.1-2.1fixed
bookworm5.0.1-2fixed
sid, trixie6.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bleachsourcejessie(not affected)
python-bleachsourcestretch(not affected)
python-bleachsource(unstable)2.1.3-1892252

Notes

[stretch] - python-bleach <not-affected> (Vulnerable code introduced later)
[jessie] - python-bleach <not-affected> (Vulnerable code introduced later)
https://github.com/mozilla/bleach/pull/356
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
Search for package or bug name: Reporting problems