CVE-2020-6817

CWE-1333CWE-400Uncontrolled Resource Consumption11 documents7 sources
Severity
7.5HIGH
EPSS
0.6%
top 31.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla Mozilla BleachMozilla Bleach
Timeline
PublishedFeb 16
Latest updateMar 5

Description

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

PyPIbleach< 3.1.4
NVDmozilla/bleach< 3.1.4
CVEListV5mozilla/mozilla_bleachunspecified3.1.4
Debianpython-bleach< 3.1.4-1+3

🔴Vulnerability Details

5
OSV
CVE-2020-6817: bleach2023-02-16
CVEList
CVE-2020-6817: bleach2023-02-16
OSV
regular expression denial-of-service (ReDoS) in Bleach2020-03-30
OSV
CVE-2020-6817: In Mozilla Bleach before 32020-03-30
GHSA
regular expression denial-of-service (ReDoS) in Bleach2020-03-30

📋Vendor Advisories

2
Ubuntu
Bleach vulnerabilities2026-03-05
Debian
CVE-2020-6817: python-bleach - bleach.clean behavior parsing style attributes could result in a regular express...2020

💬Community

3
Bugzilla
CVE-2020-6817 python-bleach: behavior parsing style attributes could result in a regular expression denial of service (ReDoS) [epel-all]2020-04-03
Bugzilla
CVE-2020-6817 python-bleach: behavior parsing style attributes could result in a regular expression denial of service (ReDoS)2020-04-03
Bugzilla
CVE-2020-6817 python-bleach: behavior parsing style attributes could result in a regular expression denial of service (ReDoS) [fedora-all]2020-04-03
CVE-2020-6817 (HIGH CVSS 7.5) | bleach.clean behavior parsing style | cvebase.io