CVE-2021-21336 - OpenCVE

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Plone	Plone
Zope	Products.pluggableauthservice

Configuration 1 [-]

cpe:2.3:a:zope:products.pluggableauthservice:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:plone:plone::::::::
	cpe:2.3:a:plone:plone::::::::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List Third Party Advisory
https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb	Patch Third Party Advisory
https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p	Third Party Advisory
https://pypi.org/project/Products.PluggableAuthService/	Product Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-08T20:40:17

Updated: 2021-05-22T17:06:14

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21336

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-08T21:15:16.683

Modified: 2022-06-03T12:54:08.477

Link: CVE-2021-21336

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Products.PluggableAuthService", "vendor": "zopefoundation", "versions": [{"status": "affected", "version": "< 2.6.0"}]}], "descriptions": [{"lang": "en", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install \"Products.PluggableAuthService>=2.6.0\"`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-22T17:06:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/Products.PluggableAuthService/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb"}, {"name": "[oss-security] 20210521 Plone security hotfix 20210518", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"}, {"name": "[oss-security] 20210522 Re: Plone security hotfix 20210518", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"}], "source": {"advisory": "GHSA-p75f-g7gx-2r7p", "discovery": "UNKNOWN"}, "title": "Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21336", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Products.PluggableAuthService", "version": {"version_data": [{"version_value": "< 2.6.0"}]}}]}, "vendor_name": "zopefoundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install \"Products.PluggableAuthService>=2.6.0\"`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p", "refsource": "CONFIRM", "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p"}, {"name": "https://pypi.org/project/Products.PluggableAuthService/", "refsource": "MISC", "url": "https://pypi.org/project/Products.PluggableAuthService/"}, {"name": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb", "refsource": "MISC", "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb"}, {"name": "[oss-security] 20210521 Plone security hotfix 20210518", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"}, {"name": "[oss-security] 20210522 Re: Plone security hotfix 20210518", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"}]}, "source": {"advisory": "GHSA-p75f-g7gx-2r7p", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21336", "datePublished": "2021-03-08T20:40:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2021-05-22T17:06:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zope:products.pluggableauthservice:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B3C2A43-06D9-4E9B-AE27-04DA56FFF848", "versionEndExcluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*", "matchCriteriaId": "821A3793-1D04-4480-823E-6B92391AB000", "versionEndIncluding": "4.3.20", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*", "matchCriteriaId": "49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669", "versionEndIncluding": "5.2.4", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install \"Products.PluggableAuthService>=2.6.0\"`."}, {"lang": "es", "value": "Products.PluggableAuthService es un framework de autenticaci\u00f3n y autorizaci\u00f3n de Zope conectable. En Products.PluggableAuthService versiones anteriores a 2.6.0, se presenta una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n: todos pueden enumerar los nombres de los roles definidos en el plugin ZODB Role Manager si el sitio usa este plugin. El problema ha sido corregido en versi\u00f3n 2.6.0. Dependiendo de c\u00f3mo haya instalado Products.PluggableAuthService, debe cambiar el pin de la versi\u00f3n de compilaci\u00f3n a 2.6.0 y volver a ejecutar la compilaci\u00f3n, o si us\u00f3 pip simplemente haga la instalaci\u00f3n de pip \"Products.PluggableAuthService versiones posteriores o iguales a 2.6.0 \"`"}], "id": "CVE-2021-21336", "lastModified": "2022-06-03T12:54:08.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-08T21:15:16.683", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/Products.PluggableAuthService/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}