Bug 1153238 – VUL-0: CVE-2019-16935: python,python3,python36,python27: XSS vulnerability in the documentation XML-RPC server in server_title field

Bug 1153238 - (CVE-2019-16935) VUL-0: CVE-2019-16935: python,python3,python36,python27: XSS vulnerability in the documentation XML-RPC server in server_title field

(CVE-2019-16935)
Summary:	VUL-0: CVE-2019-16935: python,python3,python36,python27: XSS vulnerability in...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/243534/
Whiteboard:	CVSSv3:SUSE:CVE-2019-16935:5.4:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-10-07 14:50 UTC by Alexandros Toptsoglou
Modified:	2022-06-10 08:40 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
python3-poc (334 bytes, text/x-python) 2019-10-07 14:58 UTC, Alexandros Toptsoglou	Details
python2-poc (335 bytes, text/x-python) 2019-10-07 14:59 UTC, Alexandros Toptsoglou	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-10-07 14:50:52 UTC

CVE-2019-16935

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9,
and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in
Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x.
If set_server_title is called with untrusted input, arbitrary JavaScript can be
delivered to clients that visit the http URL for this server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16935
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16935.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935
https://github.com/python/cpython/pull/16373
https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897
https://bugs.python.org/issue38243
https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213

Comment 1 Alexandros Toptsoglou 2019-10-07 14:57:38 UTC

All supported version of python are affected please find attached the POC from python2 and python3. 
To run the POC simply run the corresponding file with the corresponding python version
Then open a browser and go to localhost:8000 
You should be able to see an alert window.

Tracked as affected the following codestreams: 

python:

SUSE:SLE-10-SP3:Update
SUSE:SLE-11-SP1:Update
SUSE:SLE-12:Update 
SUSE:SLE-12-SP1:Update
SUSE:SLE-15:Update 

python27:

SUSE:SLE-11-SP1:Update:TD

python3:

SUSE:SLE-12:Update 
SUSE:SLE-15:Update 

More information including proposed fixes in [1] 

[1] https://bugs.python.org/issue38243

Comment 2 Alexandros Toptsoglou 2019-10-07 14:58:37 UTC

Created attachment 820728 [details]
python3-poc

Comment 3 Alexandros Toptsoglou 2019-10-07 14:59:19 UTC

Created attachment 820729 [details]
python2-poc

Comment 4 Matej Cepl 2019-10-08 13:43:39 UTC

Why not python36 in SUSE:SLE-12-SP3:Update:Products:Teradata:Update ?

Comment 8 Swamp Workflow Management 2019-10-22 16:54:42 UTC

SUSE-SU-2019:2743-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130840,1149955,1153238
CVE References: CVE-2019-16056,CVE-2019-16935,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.14-7.24.1, python-base-2.7.14-7.24.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.14-7.24.1, python-base-2.7.14-7.24.1, python-doc-2.7.14-7.24.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.14-7.24.1, python-doc-2.7.14-7.24.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.14-7.24.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.14-7.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.14-7.24.1, python-base-2.7.14-7.24.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.14-7.24.1, python-base-2.7.14-7.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2019-10-23 10:12:03 UTC

SUSE-SU-2019:2748-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149955,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.36.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.36.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.36.1, python-base-2.7.13-28.36.1, python-doc-2.7.13-28.36.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.36.1, python-base-2.7.13-28.36.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.36.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.36.1, python-base-2.7.13-28.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-10-27 20:12:00 UTC

openSUSE-SU-2019:2389-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130840,1149955,1153238
CVE References: CVE-2019-16056,CVE-2019-16935,CVE-2019-9947
Sources used:
openSUSE Leap 15.0 (src):    python-2.7.14-lp150.6.21.1

Comment 15 Swamp Workflow Management 2019-10-27 23:12:30 UTC

openSUSE-SU-2019:2393-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1130840,1149955,1153238
CVE References: CVE-2019-16056,CVE-2019-16935,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python-2.7.14-lp151.10.10.1, python-base-2.7.14-lp151.10.10.2, python-doc-2.7.14-lp151.10.10.1

Comment 16 Swamp Workflow Management 2019-10-29 14:15:04 UTC

SUSE-SU-2019:2802-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1, python3-doc-3.6.9-3.39.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1, python3-doc-3.6.9-3.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.9-3.39.1, python3-base-3.6.9-3.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2019-11-05 20:48:22 UTC

openSUSE-SU-2019:2438-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.9-lp151.6.4.1, python3-base-3.6.9-lp151.6.4.1

Comment 18 Swamp Workflow Management 2019-11-09 17:22:45 UTC

openSUSE-SU-2019:2453-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1149121,1149792,1149955,1151490,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
openSUSE Leap 15.0 (src):    python3-3.6.9-lp150.2.14.1, python3-base-3.6.9-lp150.2.14.1

Comment 19 Swamp Workflow Management 2019-11-13 01:06:14 UTC

SUSE-SU-2019:2748-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149955,1153238
CVE References: CVE-2019-16056,CVE-2019-16935
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.13-28.36.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.13-28.36.1, python-base-2.7.13-28.36.1, python-doc-2.7.13-28.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2020-01-16 14:15:41 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2020-01-21 20:18:18 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 24 Swamp Workflow Management 2020-01-24 20:14:26 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Matej Cepl 2020-06-08 09:48:33 UTC

Update has been prepared, this bug can be closed.

Comment 35 Swamp Workflow Management 2020-09-21 19:16:05 UTC

SUSE-SU-2020:2699-1: An update that solves 7 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1088004,1088009,1130840,1141853,1149955,1153238,1162423,1173274,1174091,1174701
CVE References: CVE-2018-14647,CVE-2018-20852,CVE-2019-16056,CVE-2019-16935,CVE-2019-20907,CVE-2019-9947,CVE-2020-14422
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Enterprise Storage 5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
HPE Helion Openstack 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 36 Matej Cepl 2020-09-21 21:46:01 UTC

Solution was found, and fix released.

Comment 41 OBSbugzilla Bot 2020-11-27 16:42:47 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 42 OBSbugzilla Bot 2020-12-01 18:22:41 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 43 OBSbugzilla Bot 2020-12-05 17:32:36 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 44 OBSbugzilla Bot 2020-12-05 19:12:43 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 45 OBSbugzilla Bot 2020-12-17 18:12:45 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 46 OBSbugzilla Bot 2021-10-06 14:42:54 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 47 OBSbugzilla Bot 2021-10-22 08:42:58 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 48 OBSbugzilla Bot 2022-02-06 22:30:51 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 49 OBSbugzilla Bot 2022-02-09 19:11:00 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 50 OBSbugzilla Bot 2022-06-10 08:40:54 UTC

This is an autogenerated message for OBS integration:
This bug (1153238) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python