{
  "threat_severity" : "Moderate",
  "public_date" : "2021-03-10T00:00:00Z",
  "bugzilla" : {
    "description" : "python: Information disclosure via pydoc",
    "id" : "1935913",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1935913"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", "A flaw was found in Python 3's pydoc. This flaw allows a local or adjacent attacker who discovers or can convince another local or adjacent user to start a pydoc server to access the server and then use it to disclose sensitive information belonging to the other user that they would not normally have the ability to access. The highest threat from this vulnerability is to data confidentiality." ],
  "statement" : "Red Hat Quay from version 3.4 uses Python from Red Hat Enterprise Linux RPM repositories and therefore may receive an update for this issue in a future release. Earlier versions of Red Hat Quay will not receive a patch for this issue.\nPython 2.x.x as shipped in any Red Hat product is not affected. This flaw is out of support scope for python3 as shipped with Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .",
  "acknowledgement" : "Red Hat would like to thank David Schwörer (Fedora) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4160",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39:3.9-8050020210811100211.d428a79b"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4160",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39-devel:3.9-8050020210811100211.d428a79b"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4162",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python38:3.8-8050020210811101222.e3d35cca"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4162",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python38-devel:3.8-8050020210811101222.e3d35cca"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4399",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-41.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4399",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-41.el8"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-babel-0:2.7.0-12.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-0:3.8.11-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-cryptography-0:2.8-5.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-lxml-0:4.4.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-pip-0:19.3.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-babel-0:2.7.0-12.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-0:3.8.11-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-cryptography-0:2.8-5.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-lxml-0:4.4.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-pip-0:19.3.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python27:2.7/python2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "python27-python",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3426\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3426" ],
  "name" : "CVE-2021-3426",
  "mitigation" : {
    "value" : "Use the console (no argument needed) or HTML file (-w argument) output to generate docs rather than the HTTP server options. Put differently, do not use the -p or -n options of pydoc.",
    "lang" : "en:us"
  },
  "csaw" : false
}