Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 May 2021 16:07:57 +0200
From: Maurits van Rees <maurits@...rees.org>
To: oss-security@...ts.openwall.com
Subject: Plone security hotfix 20210518

A Plone security hotfix was released on Tuesday, May 18 2021.
For details, see https://plone.org/security/hotfix/20210518
Most CVE numbers are not yet issued. I will request them from Mitre shortly.

BTW, I am following the instructions at 
https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
to first post to this list, then request CVEs at Mitre, then reply to my 
own post.
I don't see many other people doing it in this order. Is that page still 
accurate?

Versions Affected: All supported Plone versions (4.3.20 and any earlier 
4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None. Earlier versions may be affected, but the 
hotfix has not been tested on them.

The patch addresses several security issues:

- Remote Code Execution via traversal in expressions. Reported by David 
Miller. CVE-2021-32633.
- Writing arbitrary files via docutils and Python Script. Reported by 
Calum Hutton.
- Various information disclosures: mostly installation logs. Reported by 
Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
- Stored XSS from file upload (svg, html). Reported separately by Emir 
Cüneyt Akkutlu and Tino Kautschke.
- Reflected XSS in various spots. Reported by Calum Hutton.
- XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
- Stored XSS from user fullname. Reported by Tino Kautschke.
- Blind SSRF via feedparser accessing an internal URL. Reported by 
Subodh Kumar Shree.
- Server Side Request Forgery via event ical URL. Reported by MisakiKata 
and David Miller.
- Server Side Request Forgery via lxml parser. Reported by MisakiKata 
and David Miller.

A hotfix package has been created at 
https://pypi.org/project/Products.PloneHotfix20210518/
The fixes will be incorporated in future release Plone 5.2.5.

-- 
Maurits van Rees https://maurits.vanrees.org/
Plone Security Team security@...ne.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.