CVE-2021-3426

Description

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.7CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• v2.0•LOW•Score: 2.7AV:A/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

• CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

• debian•debian_linux

  9.0

• fedoraproject•fedora

  32 | 33 | 34

• netapp•cloud_backup

  na

• netapp•ontap_select_deploy_administration_utility

  na

• netapp•snapcenter

  na

• oracle•communications_cloud_native_core_binding_support_function

  1.10.0

• oracle•zfs_storage_appliance_kit

  8.8

• python•python

  < 2.7.18 | ≥ 3.6.0, < 3.6.13 | ≥ 3.7.0, < 3.7.10 | ≥ 3.8.0, < 3.8.8 | ≥ 3.9.0, < 3.9.3 | 3.10.0:alpha1 | 3.10.0:alpha2 | 3.10.0:alpha3 | 3.10.0:alpha4 | 3.10.0:alpha5 | 3.10.0:alpha6

• redhat•enterprise_linux

  8.0

• redhat•software_collections

  na

References (15)

• https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/
• https://security.gentoo.org/glsa/202104-04
• https://bugzilla.redhat.com/show_bug.cgi?id=1935913
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://security.netapp.com/advisory/ntap-20210629-0003/
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html