Lucene search

[email protected]NVD:CVE-2021-33511

HistoryMay 21, 2021 - 10:15 p.m.

CVE-2021-33511

2021-05-2122:15:08

CWE-918

[email protected]

web.nvd.nist.gov

plone 5.2.4

ssrf

lxml parser

diazo themes

dexterity ttw schemas

plone.app.theming

plone.app.dexterity

plone.supermodel

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.1%

JSON

Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.

Affected configurations

Nvd

Node

ploneploneRange≤5.2.4

VendorProductVersionCPE
ploneplone*cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
plone	plone	*	cpe:2.3:a:plone:plone::::::::

References

www.openwall.com/lists/oss-security/2021/05/22/1

plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.1%

JSON

Related for NVD:CVE-2021-33511

osv3 prion1 github1 veracode1 cvelist1 cve1 openvas1