Reflected XSS in DocXMLRPCServer¶

DocXMLRPCServer does not escape the server title.

The attacker has to find a way to control the server title.

Disclosure date: 2019-09-21 (Python issue bpo-38243 reported)
Red Hat impact: Moderate

Fixed In¶

Python 2.7.17 (2019-10-19) fixed by commit 8eb6415 (branch 2.7) (2019-10-01)
Python 3.5.8 (2019-10-29) fixed by commit 3fe1b19 (branch 3.5) (2019-10-29)
Python 3.6.10 (2019-12-18) fixed by commit 1698cac (branch 3.6) (2019-09-28)
Python 3.7.5 (2019-10-15) fixed by commit 39a0c75 (branch 3.7) (2019-09-27)
Python 3.8.0 (2019-10-14) fixed by commit 6447b9f (branch 3.8) (2019-09-27)

Python issue¶

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py.

Python issue: bpo-38243
Creation date: 2019-09-21
Reporter: longwenzhang

CVE-2019-16935¶

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

CVE ID: CVE-2019-16935
Published: 2019-09-28
CVSS Score: 4.3

Timeline¶

Timeline using the disclosure date 2019-09-21 as reference:

2019-09-21: Python issue bpo-38243 reported by longwenzhang
2019-09-27 (+6 days): commit 39a0c75 (branch 3.7)
2019-09-27 (+6 days): commit 6447b9f (branch 3.8)
2019-09-28 (+7 days): CVE-2019-16935 published
2019-09-28 (+7 days): commit 1698cac (branch 3.6)
2019-10-01 (+10 days): commit 8eb6415 (branch 2.7)
2019-10-14: Python 3.8.0 released
2019-10-15 (+24 days): Python 3.7.5 released
2019-10-19 (+28 days): Python 2.7.17 released
2019-10-29 (+38 days): commit 3fe1b19 (branch 3.5)
2019-10-29 (+38 days): Python 3.5.8 released
2019-12-18 (+88 days): Python 3.6.10 released