Bug 1935913 (CVE-2021-3426) - CVE-2021-3426 python: information disclosure via pydoc
Summary: CVE-2021-3426 python: information disclosure via pydoc
Keywords:
Status: NEW
Alias: CVE-2021-3426
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936698 1936700 1936701 1936703 1936931 1936933 1936937 1936699 1936702 1936936 1937474 1937475 1937476 1937477 1937479 1937480 1937481 1937482 1937483
Blocks: 1937052 1919196
TreeView+ depends on / blocked
 
Reported: 2021-03-05 19:20 UTC by msiddiqu
Modified: 2021-04-08 22:03 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Python 42988 0 None None None 2021-03-10 18:48:49 UTC

Description msiddiqu 2021-03-05 19:20:02 UTC
Running `pydoc -p` allows other local users to extract arbitrary files

Comment 11 Todd Cullum 2021-03-10 00:11:13 UTC
Not sure why it's not mentioned upstream, but in Python 3.7.0 alpha 1+, pydoc has the -n command[1][2]. So using -n can additionally expose this to adjacent attackers rather than just local attackers.

1. https://bugs.python.org/issue31128
2. https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5

Comment 13 Todd Cullum 2021-03-10 00:32:09 UTC
Statement:

Red Hat Quay from version 3.4 uses Python from Red Hat Enterprise Linux RPM repositories and therefore may receive an update for this issue in a future release. Earlier versions of Red Hat Quay will not receive an patch for this issue.

Python 2.x.x as shipped in any Red Hat product is not affected. This flaw is out of support scope for python3 as shipped with Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .

Comment 16 Todd Cullum 2021-03-10 17:53:06 UTC
There is not yet a fix in an upstream Python release at this time.

Comment 17 Todd Cullum 2021-03-10 18:00:58 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937475]
Affects: fedora-33 [bug 1937483]


Created python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937476]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1937474]
Affects: fedora-32 [bug 1937477]


Created python35 tracking bugs for this issue:

Affects: fedora-32 [bug 1937479]


Created python36 tracking bugs for this issue:

Affects: fedora-32 [bug 1937480]


Created python37 tracking bugs for this issue:

Affects: fedora-32 [bug 1937481]


Created python39 tracking bugs for this issue:

Affects: fedora-32 [bug 1937482]

Comment 19 Todd Cullum 2021-04-08 22:03:52 UTC
Mitigation:

Use the console (no argument needed) or HTML file (-w argument) output to generate docs rather than the HTTP server options. Put differently, do not use the -p or -n options of pydoc.


Note You need to log in before you can comment on or make changes to this bug.