.. _pydoc-getfile:

Information disclosure via pydoc getfile
========================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2021-3426>`_.

Running "pydoc -p" allows other local users to extract arbitrary files.

The "/getfile?key=path" URL allows to read arbitrary file on the
filesystem.

Dates:

* Disclosure date: **2021-01-21** (Python issue bpo-42988 reported)
* Reported at: 2021-01-19
* Reported by: David Schwörer (on the Fedora bugzilla)

Fixed In
--------

* Python **3.6.14** (2021-06-28) fixed by `commit 5b1e502 (branch 3.6) <https://github.com/python/cpython/commit/5b1e50256b6532667b6d31debc350f6c7d3f30aa>`_ (2021-03-29)
* Python **3.7.11** (2021-06-28) fixed by `commit 7c2284f (branch 3.7) <https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d>`_ (2021-03-29)
* Python **3.8.9** (2021-04-02) fixed by `commit 7e38d33 (branch 3.8) <https://github.com/python/cpython/commit/7e38d3309e0a5a7b9e23ef933aef0079c6e317f7>`_ (2021-03-29)
* Python **3.9.3** (2021-04-02) fixed by `commit ed753d9 (branch 3.9) <https://github.com/python/cpython/commit/ed753d94856213ae9fc028195f670e66a24e2334>`_ (2021-03-29)
* Python **3.10.0** (2021-10-04) fixed by `commit 9b99947 (branch 3.10) <https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048>`_ (2021-03-29)

Python issue
------------

[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem.

* Python issue: `bpo-42988 <https://bugs.python.org/issue42988>`_
* Creation date: 2021-01-21
* Reporter: Miro Hrončok

CVE-2021-3426
-------------

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

* CVE ID: `CVE-2021-3426 <https://nvd.nist.gov/vuln/detail/CVE-2021-3426/>`_
* Published: 2021-05-20
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 2.7

Timeline
--------

Timeline using the disclosure date **2021-01-21** as reference:

* 2021-01-19 (**-2 days**): Reported
* 2021-01-21: `Python issue bpo-42988 <https://bugs.python.org/issue42988>`_ reported by Miro Hrončok
* 2021-03-29 (**+67 days**): `commit 5b1e502 (branch 3.6) <https://github.com/python/cpython/commit/5b1e50256b6532667b6d31debc350f6c7d3f30aa>`_
* 2021-03-29 (**+67 days**): `commit 7c2284f (branch 3.7) <https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d>`_
* 2021-03-29 (**+67 days**): `commit 7e38d33 (branch 3.8) <https://github.com/python/cpython/commit/7e38d3309e0a5a7b9e23ef933aef0079c6e317f7>`_
* 2021-03-29 (**+67 days**): `commit 9b99947 (branch 3.10) <https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048>`_
* 2021-03-29 (**+67 days**): `commit ed753d9 (branch 3.9) <https://github.com/python/cpython/commit/ed753d94856213ae9fc028195f670e66a24e2334>`_
* 2021-04-02 (**+71 days**): Python 3.8.9 released
* 2021-04-02 (**+71 days**): Python 3.9.3 released
* 2021-05-20 (**+119 days**): CVE-2021-3426 published
* 2021-06-28 (**+158 days**): Python 3.6.14 released
* 2021-06-28 (**+158 days**): Python 3.7.11 released
* 2021-10-04: Python 3.10.0 released

Links
-----

* https://bugzilla.redhat.com/show_bug.cgi?id=1917807