Your submission was sent successfully! Close

CVE-2021-3426

Published: 20 May 2021

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

Notes

AuthorNote
mdeslaur
getfile introduced in 3.2.0
sbeattie
upstream fixed this by removing the getfile feature

Mitigation

Do not expose the pydoc webserver to untrusted users.
Priority

Low

CVSS 3 base score: 5.7

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Not vulnerable
(debian: Vulnerable code not present)
xenial Not vulnerable
(code not present)
python3.10
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Not vulnerable
(3.10.0~a7-3)
impish Not vulnerable
(3.10.0~rc2-1build1)
jammy Not vulnerable
(3.10.0~rc2-1build1)
kinetic Not vulnerable
(3.10.0~rc2-1build1)
trusty Does not exist

upstream
Released (3.10.0a7)
xenial Does not exist

Patches:
upstream: https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048




python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7+esm12)
upstream Needs triage

xenial Does not exist

python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Needed

upstream Needs triage

xenial
Released (3.5.2-2ubuntu0~16.04.13+esm2)
python3.6
Launchpad, Ubuntu, Debian
bionic
Released (3.6.9-1~18.04ubuntu1.7)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:

upstream: https://github.com/python/cpython/commit/5b1e50256b6532667b6d31debc350f6c7d3f30aa



python3.7
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:


upstream: https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d


python3.8
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Not vulnerable
(code not present)
groovy Ignored
(reached end-of-life)
hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:



upstream: https://github.com/python/cpython/commit/7e38d3309e0a5a7b9e23ef933aef0079c6e317f7

python3.9
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (3.9.5-3~20.04.1)
groovy
Released (3.9.5-3~20.10.1)
hirsute
Released (3.9.5-3~21.04)
impish
Released (3.9.5-2ubuntu1)
jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (3.9.3-1)
xenial Does not exist

Patches:




upstream: https://github.com/python/cpython/commit/ed753d94856213ae9fc028195f670e66a24e2334