CVE-2021-3426
Published: 20 May 2021
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
Notes
| Author | Note |
|---|---|
| mdeslaur | getfile introduced in 3.2.0 |
| sbeattie | upstream fixed this by removing the getfile feature |
Mitigation
Do not expose the pydoc webserver to untrusted users.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| hirsute |
Not vulnerable
(code not present)
|
|
| impish |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| kinetic |
Not vulnerable
(code not present)
|
|
| lunar |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Not vulnerable
(debian: Vulnerable code not present)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Not vulnerable
(3.10.0~a7-3)
|
|
| impish |
Not vulnerable
(3.10.0~rc2-1build1)
|
|
| jammy |
Not vulnerable
(3.10.0~rc2-1build1)
|
|
| kinetic |
Not vulnerable
(3.10.0~rc2-1build1)
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.10.0a7)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048 |
||
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Released
(3.4.3-1ubuntu1~14.04.7+esm12)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Needed
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.5.2-2ubuntu0~16.04.13+esm2)
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.9-1~18.04ubuntu1.7)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/5b1e50256b6532667b6d31debc350f6c7d3f30aa |
||
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.7.5-2ubuntu1~18.04.2+esm1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d |
||
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 |
||
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(3.9.5-3~20.04.1)
|
|
| groovy |
Released
(3.9.5-3~20.10.1)
|
|
| hirsute |
Released
(3.9.5-3~21.04)
|
|
| impish |
Released
(3.9.5-2ubuntu1)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.9.3-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/ed753d94856213ae9fc028195f670e66a24e2334 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.7 |
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426
- https://python-security.readthedocs.io/vuln/pydoc-getfile.html
- https://github.com/python/cpython/pull/24337
- https://github.com/python/cpython/pull/24285
- https://ubuntu.com/security/notices/USN-5342-1
- https://ubuntu.com/security/notices/USN-5342-3
- NVD
- Launchpad
- Debian