'Re: [oss-security] Plone security hotfix 20210518'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Plone security hotfix 20210518
From:       Maurits van Rees <maurits () vanrees ! org>
Date:       2021-05-22 11:34:10
Message-ID: dbbd5c0a-cebb-dfed-3c21-967513642d38 () vanrees ! org
[Download RAW message or body]


CVE numbers inline below. Thanks.

On 21/05/2021 16:07, Maurits van Rees wrote:
> A Plone security hotfix was released on Tuesday, May 18 2021.
> For details, see https://plone.org/security/hotfix/20210518
> Most CVE numbers are not yet issued. I will request them from Mitre 
> shortly.
> 
> BTW, I am following the instructions at 
> https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
> to first post to this list, then request CVEs at Mitre, then reply to 
> my own post.
> I don't see many other people doing it in this order. Is that page 
> still accurate?
> 
> Versions Affected: All supported Plone versions (4.3.20 and any 
> earlier 4.3.x version, 5.2.4 and any earlier 5.x version).
> 
> Versions Not Affected: None. Earlier versions may be affected, but the 
> hotfix has not been tested on them.
> 
> The patch addresses several security issues:
> 
> - Remote Code Execution via traversal in expressions. Reported by 
> David Miller. CVE-2021-32633.
> - Writing arbitrary files via docutils and Python Script. Reported by 
> Calum Hutton.

CVE-2021-33509

> - Various information disclosures: mostly installation logs. Reported 
> by Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
> - Stored XSS from file upload (svg, html). Reported separately by Emir 
> Cüneyt Akkutlu and Tino Kautschke.

CVE-2021-33512

> - Reflected XSS in various spots. Reported by Calum Hutton.

CVE-2021-33507

> - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.

CVE-2021-33513

> - Stored XSS from user fullname. Reported by Tino Kautschke.

CVE-2021-33508 issued, but I forgot that the original reporter already reserved \
CVE-2021-3313 which is public now with his report.  My bad.

> - Blind SSRF via feedparser accessing an internal URL. Reported by 
> Subodh Kumar Shree.
The reporter prefered to request the CVE for this one, so waiting to 
hear back.
> - Server Side Request Forgery via event ical URL. Reported by 
> MisakiKata and David Miller.

CVE-2021-33510

> - Server Side Request Forgery via lxml parser. Reported by MisakiKata 
> and David Miller.

CVE-2021-33511

> 
> A hotfix package has been created at 
> https://pypi.org/project/Products.PloneHotfix20210518/
> The fixes will be incorporated in future release Plone 5.2.5.
> 
-- 
Maurits van Rees https://maurits.vanrees.org/



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic