Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 22 May 2021 13:34:10 +0200
From: Maurits van Rees <maurits@...rees.org>
To: oss-security@...ts.openwall.com
Subject: Re: Plone security hotfix 20210518

CVE numbers inline below. Thanks.

On 21/05/2021 16:07, Maurits van Rees wrote:
> A Plone security hotfix was released on Tuesday, May 18 2021.
> For details, see https://plone.org/security/hotfix/20210518
> Most CVE numbers are not yet issued. I will request them from Mitre 
> shortly.
>
> BTW, I am following the instructions at 
> https://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests 
> to first post to this list, then request CVEs at Mitre, then reply to 
> my own post.
> I don't see many other people doing it in this order. Is that page 
> still accurate?
>
> Versions Affected: All supported Plone versions (4.3.20 and any 
> earlier 4.3.x version, 5.2.4 and any earlier 5.x version).
>
> Versions Not Affected: None. Earlier versions may be affected, but the 
> hotfix has not been tested on them.
>
> The patch addresses several security issues:
>
> - Remote Code Execution via traversal in expressions. Reported by 
> David Miller. CVE-2021-32633.
> - Writing arbitrary files via docutils and Python Script. Reported by 
> Calum Hutton.

CVE-2021-33509

> - Various information disclosures: mostly installation logs. Reported 
> by Calum Hutton. CVE-2021-21360 and CVE-2021-21336.
> - Stored XSS from file upload (svg, html). Reported separately by Emir 
> Cüneyt Akkutlu and Tino Kautschke.

CVE-2021-33512

> - Reflected XSS in various spots. Reported by Calum Hutton.

CVE-2021-33507

> - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.

CVE-2021-33513

> - Stored XSS from user fullname. Reported by Tino Kautschke.

CVE-2021-33508 issued, but I forgot that the original reporter already reserved CVE-2021-3313 which is public now with his report.  My bad.

> - Blind SSRF via feedparser accessing an internal URL. Reported by 
> Subodh Kumar Shree.
The reporter prefered to request the CVE for this one, so waiting to 
hear back.
> - Server Side Request Forgery via event ical URL. Reported by 
> MisakiKata and David Miller.

CVE-2021-33510

> - Server Side Request Forgery via lxml parser. Reported by MisakiKata 
> and David Miller.

CVE-2021-33511

>
> A hotfix package has been created at 
> https://pypi.org/project/Products.PloneHotfix20210518/
> The fixes will be incorporated in future release Plone 5.2.5.
>
-- 
Maurits van Rees https://maurits.vanrees.org/


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.