Reflected XSS in DocXMLRPCServer

DocXMLRPCServer does not escape the server title.

The attacker has to find a way to control the server title.

Dates:

• Disclosure date: 2019-09-21 (Python issue bpo-38243 reported)
• Red Hat impact: Moderate

Fixed In

• Python 2.7.17 (2019-10-19) fixed by commit 8eb6415 (branch 2.7) (2019-10-01)
• Python 3.5.8 (2019-10-29) fixed by commit 3fe1b19 (branch 3.5) (2019-10-29)
• Python 3.6.10 (2019-12-18) fixed by commit 1698cac (branch 3.6) (2019-09-28)
• Python 3.7.5 (2019-10-15) fixed by commit 39a0c75 (branch 3.7) (2019-09-27)
• Python 3.8.0 (2019-10-14) fixed by commit 6447b9f (branch 3.8) (2019-09-27)

Python issue

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py.

• Python issue: bpo-38243
• Creation date: 2019-09-21
• Reporter: longwenzhang

CVE-2019-16935

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

• CVE ID: CVE-2019-16935
• Published: 2019-09-28
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2019-09-21 as reference:

• 2019-09-21: Python issue bpo-38243 reported by longwenzhang
• 2019-09-27 (+6 days): commit 39a0c75 (branch 3.7)
• 2019-09-27 (+6 days): commit 6447b9f (branch 3.8)
• 2019-09-28 (+7 days): CVE-2019-16935 published
• 2019-09-28 (+7 days): commit 1698cac (branch 3.6)
• 2019-10-01 (+10 days): commit 8eb6415 (branch 2.7)
• 2019-10-14: Python 3.8.0 released
• 2019-10-15 (+24 days): Python 3.7.5 released
• 2019-10-19 (+28 days): Python 2.7.17 released
• 2019-10-29 (+38 days): commit 3fe1b19 (branch 3.5)
• 2019-10-29 (+38 days): Python 3.5.8 released
• 2019-12-18 (+88 days): Python 3.6.10 released