// For flags

CVE-2021-3426

python: Information disclosure via pydoc

Severity Score

5.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

Se presenta un fallo en pydoc de Python versión 3. Un atacante local o adyacente que descubre o es capaz de convencer a otro usuario local o adyacente para que iniciar un servidor pydoc podría acceder al servidor y usarlo para divulgar información confidencial perteneciente al otro usuario al que normalmente no podría acceder. El mayor riesgo de este fallo es la confidencialidad de los datos. Este fallo afecta a Python versiones anteriores a 3.8.9, Python versiones anteriores a 3.9.3 y Python versiones anteriores a 3.10.0a7

A flaw was found in Python 3's pydoc. This flaw allows a local or adjacent attacker who discovers or can convince another local or adjacent user to start a pydoc server to access the server and then use it to disclose sensitive information belonging to the other user that they would not normally have the ability to access. The highest threat from this vulnerability is to data confidentiality.

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-09 CVE Reserved
  • 2021-05-03 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (15)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
< 2.7.18
Search vendor "Python" for product "Python" and version " < 2.7.18"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.6.0 < 3.6.13
Search vendor "Python" for product "Python" and version " >= 3.6.0 < 3.6.13"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.7.0 < 3.7.10
Search vendor "Python" for product "Python" and version " >= 3.7.0 < 3.7.10"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.8.0 < 3.8.8
Search vendor "Python" for product "Python" and version " >= 3.8.0 < 3.8.8"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.9.0 < 3.9.3
Search vendor "Python" for product "Python" and version " >= 3.9.0 < 3.9.3"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha1
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha2
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha3
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha4
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha5
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.10.0
Search vendor "Python" for product "Python" and version "3.10.0"
alpha6
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Redhat
Search vendor "Redhat"
Software Collections
Search vendor "Redhat" for product "Software Collections"
--
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Netapp
Search vendor "Netapp"
Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
Ontap Select Deploy Administration Utility
Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"
--
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Binding Support Function
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"
1.10.0
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.10.0"
-
Affected
Oracle
Search vendor "Oracle"
Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected