CVE-2019-16935

Published: 28 September 2019

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.7.17-1ubuntu5)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.17-1ubuntu5)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.15-4ubuntu4~18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.9)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.6+esm3)
Patches:
Upstream: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7+esm4)
python3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.9)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

python3.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.8-1~18.04.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
python3.7
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.5~rc1-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687
python3.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.8.0~rc1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28