Lucene search

K
freebsdFreeBSDF671C282-95EF-11EB-9C34-080027F515EA
HistoryJan 21, 2021 - 12:00 a.m.

python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

2021-01-2100:00:00
vuxml.freebsd.org
18

5.7 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.7 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.4%

David Schwörer reports:

    Remove the getfile feature of the pydoc module which could be
    abused to read arbitrary files on the disk (directory traversal
    vulnerability). Moreover, even source code of Python modules
    can contain sensitive data like passwords.
OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchpython38< 3.8.9UNKNOWN
FreeBSDanynoarchpython39< 3.9.3UNKNOWN

5.7 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.7 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.4%