CVE-2021-21336
published 2021-03-08CVE-2021-21336: Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.50%
71.2th percentile
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plone | plone | 4.3.0 – 4.3.20 | — |
| plone | plone | 5.0 – 5.2.4 | — |
| zope | products.pluggableauthservice | < 2.6.0 | 2.6.0 |
| zopefoundation | products.pluggableauthservice | < 2.6.0 | 2.6.0 |
| zopefoundation | products.pluggableauthservice | >= 0 < 2.6.0 | 2.6.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
ghsa·2021-03-08
CVE-2021-21336 [HIGH] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
### Impact
_What kind of vulnerability is it? Who is impacted?_
Information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
There is no workaround
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
osv·2021-03-08
CVE-2021-21336 [HIGH] Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
### Impact
_What kind of vulnerability is it? Who is impacted?_
Information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
There is no workaround
OSV
CVE-2021-21336: Products
osv·2021-03-08
CVE-2021-21336 CVE-2021-21336: Products
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2021/05/21/1http://www.openwall.com/lists/oss-security/2021/05/22/1https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bbhttps://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7phttps://pypi.org/project/Products.PluggableAuthService/http://www.openwall.com/lists/oss-security/2021/05/21/1http://www.openwall.com/lists/oss-security/2021/05/22/1https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bbhttps://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7phttps://pypi.org/project/Products.PluggableAuthService/
2021-03-08
Published