oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Plone security hotfix 20210518

From: Maurits van Rees <maurits () vanrees org>
Date: Sat, 22 May 2021 13:34:10 +0200
CVE numbers inline below. Thanks.

On 21/05/2021 16:07, Maurits van Rees wrote:

A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly. 
BTW, I am following the instructions at 
https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
to first post to this list, then request CVEs at Mitre, then reply to 
my own post.
I don't see many other people doing it in this order. Is that page 
still accurate?

Versions Affected: All supported Plone versions (4.3.20 and any 
earlier 4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None. Earlier versions may be affected, but the 
hotfix has not been tested on them.

The patch addresses several security issues:


- Remote Code Execution via traversal in expressions. Reported by 
David Miller. CVE-2021-32633.
- Writing arbitrary files via docutils and Python Script. Reported by 
Calum Hutton.

CVE-2021-33509


- Various information disclosures: mostly installation logs. Reported 
by Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
- Stored XSS from file upload (svg, html). Reported separately by Emir 
Cüneyt Akkutlu and Tino Kautschke.

CVE-2021-33512


- Reflected XSS in various spots. Reported by Calum Hutton.

CVE-2021-33507


- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.

CVE-2021-33513


- Stored XSS from user fullname. Reported by Tino Kautschke.

CVE-2021-33508 issued, but I forgot that the original reporter already reserved CVE-2021-3313 which is public now with 
his report.  My bad.


- Blind SSRF via feedparser accessing an internal URL. Reported by 
Subodh Kumar Shree.

The reporter prefered to request the CVE for this one, so waiting to 
hear back.

- Server Side Request Forgery via event ical URL. Reported by 
MisakiKata and David Miller.

CVE-2021-33510


- Server Side Request Forgery via lxml parser. Reported by MisakiKata 
and David Miller.

CVE-2021-33511


A hotfix package has been created at 
https://pypi.org/project/Products.PloneHotfix20210518/

The fixes will be incorporated in future release Plone 5.2.5.


--
Maurits van Rees https://maurits.vanrees.org/
















Previous
By Date
Next




Previous
By Thread
Next





Current thread: