CVE-2021-3426

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

CVSS v3.0 5.7 MEDIUM
CVSS v2.0 2.7 LOW

5.7^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 5.1 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/	Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1935913	Issue Tracking Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202104-04	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20210629-0003/	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python:3.10.0:alpha1::::::
	cpe:2.3:a:python:python:3.10.0:alpha2::::::
	cpe:2.3:a:python:python:3.10.0:alpha3::::::
	cpe:2.3:a:python:python:3.10.0:alpha4::::::
	cpe:2.3:a:python:python:3.10.0:alpha5::::::
	cpe:2.3:a:python:python:3.10.0:alpha6::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:a:redhat:software_collections:-:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:::::::*

Information

Published : 2021-05-20 06:15

Updated : 2022-10-25 13:56

NVD link : CVE-2021-3426

Mitre link : CVE-2021-3426

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

netapp

cloud_backup
ontap_select_deploy_administration_utility
snapcenter

python

python

redhat

enterprise_linux
software_collections

oracle

communications_cloud_native_core_binding_support_function
zfs_storage_appliance_kit

fedoraproject

fedora

debian

debian_linux

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/", "name": "FEDORA-2021-0a8f3ffbc0", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/", "name": "FEDORA-2021-b6b6093b3a", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/", "name": "FEDORA-2021-a26257ccf5", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html", "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/", "name": "FEDORA-2021-1769a23935", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/", "name": "FEDORA-2021-a311bf10d4", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935913", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1935913", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/", "name": "FEDORA-2021-067c9deff1", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://security.gentoo.org/glsa/202104-04", "name": "GLSA-202104-04", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/", "name": "FEDORA-2021-2ab6f060d9", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://security.netapp.com/advisory/ntap-20210629-0003/", "name": "https://security.netapp.com/advisory/ntap-20210629-0003/", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-3426", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.7, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 5.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}}, "publishedDate": "2021-05-20T13:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.8.8", "versionStartIncluding": "3.8.0"}, {"cpe23Uri": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.7.10", "versionStartIncluding": "3.7.0"}, {"cpe23Uri": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.6.13", "versionStartIncluding": "3.6.0"}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:3.10.0:alpha6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.9.3", "versionStartIncluding": "3.9.0"}, {"cpe23Uri": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.7.18"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-10-25T20:56Z"}

5.7 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.7 /10

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-3426

5.7^/10

2.7^/10

Attach tags to `CVE-2021-3426`