Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1763229 (CVE-2019-16935) - CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server in server_title field
Summary: CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16935
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1763231 1759944 1763230 1763232 1763233 1763234 1763235 1763236 1763237 1797998 1797999 1798000 1798001 1798002 1798003
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-18 14:24 UTC by kat
Modified: 2023-12-15 16:51 UTC (History)
19 users (show)

Fixed In Version: python 2.7.17, python 3.5.8, python 3.6.10, python 3.7.5
Doc Type: If docs needed, set a value
Doc Text:
A reflected cross-site scripting (XSS) vulnerability was found in Python XML-RPC server. The `server_title` field is not sufficiently sanitized allowing malicious JavaScript to be injected. Successful exploitation would allow a remote attacker to execute JavaScript code within the context of the affected user.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:58:38 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3888 0 None None None 2020-09-29 19:36:41 UTC
Red Hat Product Errata RHSA-2020:3911 0 None None None 2020-09-29 19:46:15 UTC
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:38 UTC
Red Hat Product Errata RHSA-2020:4433 0 None None None 2020-11-04 00:51:36 UTC

Description kat 2019-10-18 14:24:20 UTC
The documentation XML-RPC server in various Python versions has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Upstream bug:

https://bugs.python.org/issue38243

Upstream pull request and commits:

https://github.com/python/cpython/pull/16373

master: https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa
3.6: https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
2.7: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89

Comment 1 kat 2019-10-18 14:24:48 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1763232]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1763233]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1763231]
Affects: fedora-all [bug 1763234]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1763235]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1763230]
Affects: fedora-all [bug 1763236]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1763237]

Comment 6 Mauro Matteo Cascella 2020-02-19 11:03:53 UTC
Statement:

This flaw does not affect the versions of python27-python as shipped with Red Hat Software Collections 3 as they already include the fix.
This flaw does not affect the versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 as they are "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.

Comment 7 errata-xmlrpc 2020-09-29 19:36:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3888 https://access.redhat.com/errata/RHSA-2020:3888

Comment 8 errata-xmlrpc 2020-09-29 19:46:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3911 https://access.redhat.com/errata/RHSA-2020:3911

Comment 9 Product Security DevOps Team 2020-09-29 21:58:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16935

Comment 12 errata-xmlrpc 2020-10-19 18:05:36 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 13 errata-xmlrpc 2020-11-04 00:51:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433


Note You need to log in before you can comment on or make changes to this bug.