CVE-2019-16935

Name of the Vulnerable Software and Affected Versions Python versions 2.7.16 and earlier, 3.x through 3.6.9, and 3.7.x through 3.7.4

Description The issue is related to the documentation XML-RPC server in Python, which is vulnerable to cross-site scripting (XSS) attacks via the server title field. This occurs in the Lib/DocXMLRPCServer.py file in Python 2.x and in the Lib/xmlrpc/server.py file in Python 3.x. If the set server title function is called with untrusted input, arbitrary JavaScript can be delivered to clients visiting the HTTP URL for this server. Additionally, the http.cookiejar.LOOSE HTTP DATE RE regex is vulnerable to regular expression denial of service (REDoS), which can lead to extreme CPU usage and execution being blocked for a long time when processing a response from a malicious HTTP server.

Recommendations For Python versions 2.7.16 and earlier, 3.x through 3.6.9, and 3.7.x through 3.7.4, update to a version where the set server title function is secured against untrusted input. As a temporary workaround, consider restricting the use of the set server title function until a patch is available. Avoid using the http.cookiejar.LOOSE HTTP DATE RE regex to parse Set-Cookie headers from untrusted HTTP servers.