Bug 1935913 (CVE-2021-3426) - CVE-2021-3426 python: Information disclosure via pydoc
Summary: CVE-2021-3426 python: Information disclosure via pydoc
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3426
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936931 1936937 1936698 1936699 1936700 1936701 1936702 1936703 1936933 1936936 1937474 1937475 1937476 1937477 1937479 1937480 1937481 1937482 1937483 1969518
Blocks: 1919196 1937052
TreeView+ depends on / blocked
 
Reported: 2021-03-05 19:20 UTC by msiddiqu
Modified: 2021-11-09 18:37 UTC (History)
27 users (show)

Fixed In Version: python 3.8.9, python 3.9.3, python 3.10.0a7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python 3's pydoc. This flaw allows a local or adjacent attacker who discovers or can convince another local or adjacent user to start a pydoc server to access the server and then use it to disclose sensitive information belonging to the other user that they would not normally have the ability to access. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-08-24 15:34:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Python 42988 0 None None None 2021-03-10 18:48:49 UTC
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:13 UTC
Red Hat Product Errata RHSA-2021:4160 0 None None None 2021-11-09 17:27:08 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:17 UTC
Red Hat Product Errata RHSA-2021:4399 0 None None None 2021-11-09 18:37:06 UTC

Description msiddiqu 2021-03-05 19:20:02 UTC 
Running `pydoc -p` allows other local users to extract arbitrary files
Comment 1 Todd Cullum 2021-03-05 21:50:00 UTC 
Related upstream PRs:

https://github.com/python/cpython/pull/24337
https://github.com/python/cpython/pull/24285
Comment 11 Todd Cullum 2021-03-10 00:11:13 UTC 
Not sure why it's not mentioned upstream, but in Python 3.7.0 alpha 1+, pydoc has the -n command[1][2]. So using -n can additionally expose this to adjacent attackers rather than just local attackers.

1. https://bugs.python.org/issue31128
2. https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5
Comment 13 Todd Cullum 2021-03-10 00:32:09 UTC 
Statement:

Red Hat Quay from version 3.4 uses Python from Red Hat Enterprise Linux RPM repositories and therefore may receive an update for this issue in a future release. Earlier versions of Red Hat Quay will not receive an patch for this issue.

Python 2.x.x as shipped in any Red Hat product is not affected. This flaw is out of support scope for python3 as shipped with Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .
Comment 16 Todd Cullum 2021-03-10 17:53:06 UTC 
There is not yet a fix in an upstream Python release at this time.
Comment 17 Todd Cullum 2021-03-10 18:00:58 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937475]
Affects: fedora-33 [bug 1937483]


Created python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937476]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1937474]
Affects: fedora-32 [bug 1937477]


Created python35 tracking bugs for this issue:

Affects: fedora-32 [bug 1937479]


Created python36 tracking bugs for this issue:

Affects: fedora-32 [bug 1937480]


Created python37 tracking bugs for this issue:

Affects: fedora-32 [bug 1937481]


Created python39 tracking bugs for this issue:

Affects: fedora-32 [bug 1937482]
Comment 19 Todd Cullum 2021-04-08 22:03:52 UTC 
Mitigation:

Use the console (no argument needed) or HTML file (-w argument) output to generate docs rather than the HTTP server options. Put differently, do not use the -p or -n options of pydoc.
Comment 23 errata-xmlrpc 2021-08-24 08:09:10 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 24 Product Security DevOps Team 2021-08-24 15:34:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3426
Comment 25 errata-xmlrpc 2021-11-09 17:27:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 26 errata-xmlrpc 2021-11-09 17:28:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Comment 27 errata-xmlrpc 2021-11-09 18:37:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4399 https://access.redhat.com/errata/RHSA-2021:4399
Note You need to log in before you can comment on or make changes to this bug.