CVE-2021-3426

EPSS 0.08%
Published 20.05.2021 13:15:07
Last modified 21.11.2024 06:21:28
Source secalert@redhat.com
Teams watchlist Login
Open Login

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

Affected products Warnungen 0 Metrics 3 CWE 2 References 17

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Python Version < 2.7.18

Python ≫ Python Version >= 3.6.0 < 3.6.13

Python ≫ Python Version >= 3.7.0 < 3.7.10

Python ≫ Python Version >= 3.8.0 < 3.8.8

Python ≫ Python Version >= 3.9.0 < 3.9.3

Python ≫ Python Version3.10.0 Updatealpha1

Python ≫ Python Version3.10.0 Updatealpha2

Python ≫ Python Version3.10.0 Updatealpha3

Python ≫ Python Version3.10.0 Updatealpha4

Python ≫ Python Version3.10.0 Updatealpha5

Python ≫ Python Version3.10.0 Updatealpha6

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Debian ≫ Debian Linux Version9.0

Redhat ≫ Software Collections Version-

Redhat ≫ Enterprise Linux Version8.0

Netapp ≫ Cloud Backup Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Snapcenter Version-

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.10.0

Oracle ≫ Zfs Storage Appliance Kit Version8.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.249

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.7	2.1	3.6	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.7	5.1	2.9	AV:A/AC:L/Au:S/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/

https://security.gentoo.org/glsa/202104-04

Third Party Advisory