CVE-2021-21336

MEDIUM

Zope Products.pluggableauthservice < 2.6.0 - Information Disclosure

Title source: rule

Description

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.

References (5)

Core 5

Core References

Third Party Advisory x_refsource_confirm

https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p

Product, Third Party Advisory x_refsource_misc

https://pypi.org/project/Products.PluggableAuthService/

Patch, Third Party Advisory x_refsource_misc

https://github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb

View Patch ZIP pw:eip

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/05/21/1

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/05/22/1

Scores

CVSS v3 6.5

EPSS 0.0032

EPSS Percentile 55.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (3)

plone/plone 4.3.0 - 4.3.20

pypi/Products.PluggableAuthService 0 - 2.6.0PyPI

zope/products.pluggableauthservice < 2.6.0

Published Mar 08, 2021

Tracked Since Feb 18, 2026