CVE-2021-21336

Published: Mar 8, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.

Affected (3)

Products: Zope: Products.pluggableauthservice · Plone: Plone

1 product

Products.pluggableauthservice

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zope Products.pluggableauthservice	Before 2.6.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Plone Plone	From 4.3.0 to 4.3.20
Plone Plone	From 5.0 to 5.2.4

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (10)

http://www.openwall.com/lists/oss-security/2021/05/21/1

Source: security-advisories@github.com

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/05/22/1

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p

Source: security-advisories@github.com

Third Party Advisory

https://pypi.org/project/Products.PluggableAuthService/

Source: security-advisories@github.com

ProductThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/05/21/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/05/22/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://pypi.org/project/Products.PluggableAuthService/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

Timeline

No history available yet.