CVE-2021-3426: Path Traversal
First published: Fri Mar 05 2021(Updated: )
Python pydoc module could allow a remote attacker from within the local network obtain sensitive information. By starting the pydoc server, an attacker could exploit this vulnerability to extract arbitrary files.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <3.8.9 | 3.8.9 |
| redhat/python | <3.9.3 | 3.9.3 |
| redhat/python | <3.10.0 | 3.10.0 |
| redhat/python3 | <0:3.6.8-41.el8 | 0:3.6.8-41.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| Python Python | <2.7.18 | |
| Python Python | >=3.6.0<3.6.13 | |
| Python Python | >=3.7.0<3.7.10 | |
| Python Python | >=3.8.0<3.8.8 | |
| Python Python | >=3.9.0<3.9.3 | |
| Python Python | =3.10.0-alpha1 | |
| Python Python | =3.10.0-alpha2 | |
| Python Python | =3.10.0-alpha3 | |
| Python Python | =3.10.0-alpha4 | |
| Python Python | =3.10.0-alpha5 | |
| Python Python | =3.10.0-alpha6 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =9.0 | |
| Redhat Software Collections | ||
| Redhat Enterprise Linux | =8.0 | |
| Netapp Cloud Backup | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Snapcenter | ||
| Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/201171
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi?id=1935913
- https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/
- https://security.gentoo.org/glsa/202104-04
- https://security.netapp.com/advisory/ntap-20210629-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/python/cpython/pull/24337
- https://github.com/python/cpython/pull/24285
- https://bugs.python.org/issue31128
- https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937475
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937483
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937476
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937474
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937477
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937479
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937480
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937481
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1937482
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/security/cve/cve-2021-3426
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2021:4162
- https://access.redhat.com/errata/RHSA-2021:4399
- https://www.cve.org/CVERecord?id=CVE-2021-3426 https://nvd.nist.gov/vuln/detail/CVE-2021-3426
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-3426?
CVE-2021-3426 is a vulnerability in Python 3's pydoc that allows a local or adjacent attacker to access and disclose sensitive information belonging to another user.
How does CVE-2021-3426 affect Python 3?
CVE-2021-3426 affects Python 3 versions 3.8.9, 3.9.3, and 3.10.0.
How can the CVE-2021-3426 vulnerability be exploited?
The CVE-2021-3426 vulnerability can be exploited by a local or adjacent attacker who starts a pydoc server and convinces another user to access it, thereby allowing the attacker to access sensitive information.
What is the severity of CVE-2021-3426?
CVE-2021-3426 has a severity rating of 5.7 (Medium).
How can I fix the CVE-2021-3426 vulnerability?
To fix the CVE-2021-3426 vulnerability, it is recommended to update Python 3 to versions 3.8.9, 3.9.3, or 3.10.0.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3426
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0
- vendor/python
- canonical/python python
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- version/python python/3.9.0
- version/python python/3.10.0-alpha1
- version/python python/3.10.0-alpha2
- version/python python/3.10.0-alpha3
- version/python python/3.10.0-alpha4
- version/python python/3.10.0-alpha5
- version/python python/3.10.0-alpha6
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/redhat
- canonical/redhat software collections
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp ontap select deploy administration utility
- canonical/netapp snapcenter
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.10.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- package-manager/redhat