Information disclosure via pydoc getfile¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Running “pydoc -p” allows other local users to extract arbitrary files.
The “/getfile?key=path” URL allows to read arbitrary file on the filesystem.
Dates:
Disclosure date: 2021-01-21 (Python issue bpo-42988 reported)
Reported at: 2021-01-19
Reported by: David Schwörer (on the Fedora bugzilla)
Fixed In¶
Python 3.6.14 (2021-06-28) fixed by commit 5b1e502 (branch 3.6) (2021-03-29)
Python 3.7.11 (2021-06-28) fixed by commit 7c2284f (branch 3.7) (2021-03-29)
Python 3.8.9 (2021-04-02) fixed by commit 7e38d33 (branch 3.8) (2021-03-29)
Python 3.9.3 (2021-04-02) fixed by commit ed753d9 (branch 3.9) (2021-03-29)
Python 3.10.0 (2021-10-04) fixed by commit 9b99947 (branch 3.10) (2021-03-29)
Python issue¶
[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem.
Python issue: bpo-42988
Creation date: 2021-01-21
Reporter: Miro Hrončok
CVE-2021-3426¶
There’s a flaw in Python 3’s pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVE ID: CVE-2021-3426
Published: 2021-05-20
CVSS Score: 2.7
Timeline¶
Timeline using the disclosure date 2021-01-21 as reference:
2021-01-19 (-2 days): Reported
2021-01-21: Python issue bpo-42988 reported by Miro Hrončok
2021-03-29 (+67 days): commit 5b1e502 (branch 3.6)
2021-03-29 (+67 days): commit 7c2284f (branch 3.7)
2021-03-29 (+67 days): commit 7e38d33 (branch 3.8)
2021-03-29 (+67 days): commit 9b99947 (branch 3.10)
2021-03-29 (+67 days): commit ed753d9 (branch 3.9)
2021-04-02 (+71 days): Python 3.8.9 released
2021-04-02 (+71 days): Python 3.9.3 released
2021-05-20 (+119 days): CVE-2021-3426 published
2021-06-28 (+158 days): Python 3.6.14 released
2021-06-28 (+158 days): Python 3.7.11 released
2021-10-04: Python 3.10.0 released