[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-16935/python*


On 28/09/2019 22:36, Ola Lundqvist wrote:
> I have looked a little into CVE-2019-16935. My conclusion is that the
> package is vulnerable but I could not really judge its severity. I have
> a question though. If we find that we should correct it, shouldn't we
> correct also jython and pypy-lib in that case?
> The problem is in DocXMLRPCServer.py and that file exist also in the
> other two packages. Or should we assume there will be a different CVE
> for those packages?
> https://packages.debian.org/search?searchon=contents&keywords=DocXMLRPCServer.py&mode=exactfilename&suite=oldstable&arch=any  ;

I would reference python and pypy-lib in data/CVE/list, indeed.
Do you want to do that?

As for the severity, from what I read this is a reflected XSS, that is
also hypothetical as this would affect an unknown third-party app making
use of DocXMLRPCServer and setting the server title from untrusted input.
So low IMHO.


Reply to: