[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Plone security hotfix 20210518
From: Maurits van Rees <maurits () vanrees ! org>
Date: 2021-05-22 11:34:10
Message-ID: dbbd5c0a-cebb-dfed-3c21-967513642d38 () vanrees ! org
[Download RAW message or body]
CVE numbers inline below. Thanks.
On 21/05/2021 16:07, Maurits van Rees wrote:
> A Plone security hotfix was released on Tuesday, May 18 2021.
> For details, see https://plone.org/security/hotfix/20210518
> Most CVE numbers are not yet issued. I will request them from Mitre
> shortly.
>
> BTW, I am following the instructions at
> https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests
> to first post to this list, then request CVEs at Mitre, then reply to
> my own post.
> I don't see many other people doing it in this order. Is that page
> still accurate?
>
> Versions Affected: All supported Plone versions (4.3.20 and any
> earlier 4.3.x version, 5.2.4 and any earlier 5.x version).
>
> Versions Not Affected: None. Earlier versions may be affected, but the
> hotfix has not been tested on them.
>
> The patch addresses several security issues:
>
> - Remote Code Execution via traversal in expressions. Reported by
> David Miller. CVE-2021-32633.
> - Writing arbitrary files via docutils and Python Script. Reported by
> Calum Hutton.
CVE-2021-33509
> - Various information disclosures: mostly installation logs. Reported
> by Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
> - Stored XSS from file upload (svg, html). Reported separately by Emir
> Cüneyt Akkutlu and Tino Kautschke.
CVE-2021-33512
> - Reflected XSS in various spots. Reported by Calum Hutton.
CVE-2021-33507
> - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
CVE-2021-33513
> - Stored XSS from user fullname. Reported by Tino Kautschke.
CVE-2021-33508 issued, but I forgot that the original reporter already reserved \
CVE-2021-3313 which is public now with his report. My bad.
> - Blind SSRF via feedparser accessing an internal URL. Reported by
> Subodh Kumar Shree.
The reporter prefered to request the CVE for this one, so waiting to
hear back.
> - Server Side Request Forgery via event ical URL. Reported by
> MisakiKata and David Miller.
CVE-2021-33510
> - Server Side Request Forgery via lxml parser. Reported by MisakiKata
> and David Miller.
CVE-2021-33511
>
> A hotfix package has been created at
> https://pypi.org/project/Products.PloneHotfix20210518/
> The fixes will be incorporated in future release Plone 5.2.5.
>
--
Maurits van Rees https://maurits.vanrees.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic