CVE-2021-3426

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

CVSS v3 5.7 MEDIUM
CVSS v2.0 2.7 LOW

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 5.1 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1935913	Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/
https://security.gentoo.org/glsa/202104-04	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210629-0003/	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python:3.10.0:alpha1::::::
	cpe:2.3:a:python:python:3.10.0:alpha2::::::
	cpe:2.3:a:python:python:3.10.0:alpha3::::::
	cpe:2.3:a:python:python:3.10.0:alpha4::::::
	cpe:2.3:a:python:python:3.10.0:alpha5::::::
	cpe:2.3:a:python:python:3.10.0:alpha6::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:redhat:software_collections:-:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:::::::*
	cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*

History

30 Jun 2023, 23:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html -

25 Oct 2022, 20:56

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-22

01 Mar 2022, 15:29

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:::::::* cpe:2.3:a:netapp:snapcenter:-:::::::* cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::* cpe:2.3:a:netapp:cloud_backup:-:::::::*
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210629-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210629-0003/ - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory

07 Feb 2022, 16:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

20 Oct 2021, 11:17

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210629-0003/ - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

27 May 2021, 20:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:python:python:::::::: cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:a:python:python:3.10.0:alpha2:::::: cpe:2.3:a:redhat:software_collections:-:::::::* cpe:2.3:a:python:python:3.10.0:alpha1:::::: cpe:2.3:a:python:python:3.10.0:alpha3:::::: cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:a:python:python:3.10.0:alpha4:::::: cpe:2.3:a:python:python:3.10.0:alpha5:::::: cpe:2.3:a:python:python:3.10.0:alpha6:::::: cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:fedoraproject:fedora:32:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/ - Mailing List, Third Party Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1935913 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1935913 - Issue Tracking, Patch, Third Party Advisory
References	~~(GENTOO) https://security.gentoo.org/glsa/202104-04 -~~	(GENTOO) https://security.gentoo.org/glsa/202104-04 - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/ - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html - Mailing List, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.7 v3 : 5.7

20 May 2021, 14:29

Type	Values Removed	Values Added
CWE		CWE-200

20 May 2021, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-05-20 13:15

Updated : 2024-02-04 21:47

NVD link : CVE-2021-3426

Mitre link : CVE-2021-3426

CVE.ORG link : CVE-2021-3426

JSON object : View

Products Affected

redhat

software_collections
enterprise_linux

debian

debian_linux

netapp

snapcenter
ontap_select_deploy_administration_utility
cloud_backup

oracle

zfs_storage_appliance_kit
communications_cloud_native_core_binding_support_function

fedoraproject

fedora

python

python

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

5.7 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.7 /10

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-3426

5.7^/10

2.7^/10

Attach tags to `CVE-2021-3426`