FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

Affected packages
python38 < 3.8.9
python39 < 3.9.3

Details

VuXML ID f671c282-95ef-11eb-9c34-080027f515ea
Discovery 2021-01-21
Entry 2021-04-10

David Schwörer reports:

Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.

References

CVE Name CVE-2021-3426
URL https://bugs.python.org/issue42988
URL https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html