Reflected XSS in DocXMLRPCServer

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

DocXMLRPCServer does not escape the server title.

The attacker has to find a way to control the server title.

Dates:

• Disclosure date: 2019-09-21 (Python issue bpo-38243 reported)
• Red Hat impact: Moderate

Fixed In

• Python 2.7.17 (2019-10-19) fixed by commit 8eb6415 (branch 2.7) (2019-10-01)
• Python 3.5.8 (2019-10-29) fixed by commit 3fe1b19 (branch 3.5) (2019-10-29)
• Python 3.6.10 (2019-12-18) fixed by commit 1698cac (branch 3.6) (2019-09-28)
• Python 3.7.5 (2019-10-14) fixed by commit 39a0c75 (branch 3.7) (2019-09-27)
• Python 3.8.0 (2019-10-14) fixed by commit 6447b9f (branch 3.8) (2019-09-27)

Python issue

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py.

• Python issue: bpo-38243
• Creation date: 2019-09-21
• Reporter: longwenzhang

CVE-2019-16935

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

• CVE ID: CVE-2019-16935
• Published: 2019-09-28
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2019-09-21 as reference:

• 2019-09-21: Python issue bpo-38243 reported by longwenzhang
• 2019-09-27 (+6 days): commit 39a0c75 (branch 3.7)
• 2019-09-27 (+6 days): commit 6447b9f (branch 3.8)
• 2019-09-28 (+7 days): CVE-2019-16935 published
• 2019-09-28 (+7 days): commit 1698cac (branch 3.6)
• 2019-10-01 (+10 days): commit 8eb6415 (branch 2.7)
• 2019-10-14: Python 3.8.0 released
• 2019-10-14 (+23 days): Python 3.7.5 released
• 2019-10-19 (+28 days): Python 2.7.17 released
• 2019-10-29 (+38 days): commit 3fe1b19 (branch 3.5)
• 2019-10-29 (+38 days): Python 3.5.8 released
• 2019-12-18 (+88 days): Python 3.6.10 released