Reflected XSS in DocXMLRPCServer¶
DocXMLRPCServer does not escape the server title.
The attacker has to find a way to control the server title.
Dates:
- Disclosure date: 2019-09-21 (Python issue bpo-38243 reported)
- Red Hat impact: Moderate
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit 8eb6415 (branch 2.7) (2019-10-01)
- Python 3.5.8 (2019-10-29) fixed by commit 3fe1b19 (branch 3.5) (2019-10-29)
- Python 3.6.10 (2019-12-18) fixed by commit 1698cac (branch 3.6) (2019-09-28)
- Python 3.7.5 (2019-10-15) fixed by commit 39a0c75 (branch 3.7) (2019-09-27)
- Python 3.8.0 (2019-10-14) fixed by commit 6447b9f (branch 3.8) (2019-09-27)
Python issue¶
[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py.
- Python issue: bpo-38243
- Creation date: 2019-09-21
- Reporter: longwenzhang
CVE-2019-16935¶
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
- CVE ID: CVE-2019-16935
- Published: 2019-09-28
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2019-09-21 as reference:
- 2019-09-21: Python issue bpo-38243 reported by longwenzhang
- 2019-09-27 (+6 days): commit 39a0c75 (branch 3.7)
- 2019-09-27 (+6 days): commit 6447b9f (branch 3.8)
- 2019-09-28 (+7 days): CVE-2019-16935 published
- 2019-09-28 (+7 days): commit 1698cac (branch 3.6)
- 2019-10-01 (+10 days): commit 8eb6415 (branch 2.7)
- 2019-10-14: Python 3.8.0 released
- 2019-10-15 (+24 days): Python 3.7.5 released
- 2019-10-19 (+28 days): Python 2.7.17 released
- 2019-10-29 (+38 days): commit 3fe1b19 (branch 3.5)
- 2019-10-29 (+38 days): Python 3.5.8 released
- 2019-12-18 (+88 days): Python 3.6.10 released