Information disclosure via pydoc getfile

Running “pydoc -p” allows other local users to extract arbitrary files.

The “/getfile?key=path” URL allows to read arbitrary file on the filesystem.

  • Disclosure date: 2021-01-21 (Python issue bpo-42988 reported)
  • Reported at: 2021-01-19
  • Reported by: David Schwörer (on the Fedora bugzilla)

Fixed In

Python issue

[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem.

  • Python issue: bpo-42988
  • Creation date: 2021-01-21
  • Reporter: Miro Hrončok

CVE-2021-3426

There’s a flaw in Python 3’s pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

Timeline

Timeline using the disclosure date 2021-01-21 as reference: