#VU53650 Incorrect permission assignment for critical resource in Plone - CVE-2021-33509

Cybersecurity Help s.r.o.

Published: 2021-05-28

Vulnerability identifier: #VU53650

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-33509

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Plone
Web applications / CMS

Vendor: Plone

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incorrect permission assignment for critical resource. A remote authenticated attacker can perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Plone: 5.0 rc1 - 5.2.4

External links
https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script
https://www.openwall.com/lists/oss-security/2021/05/22/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Plone