Miggo Logo

CVE-2021-33509: Incorrect Permission Assignment for Critical Resource in Plone

10

CVSS Score
3.1

Basic Information

EPSS Score
0.75795%
Published
6/15/2021
Updated
10/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Plonepip< 5.2.55.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Plone's ReStructuredText transformation utility improperly handling user-controlled keyword arguments. The transform passes these arguments directly to docutils' publish_parts function, which supports parameters that control file output locations. Authenticated managers could craft arguments like 'output' to write arbitrary files. The hotfix addressed this by restricting allowed parameters. The convert method in the restructuredtext transform is the entry point for this processing, making it the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Plon* t*rou** *.*.* *llows r*mot* *ut**nti**t** m*n***rs to p*r*orm *isk I/O vi* *r**t** k*ywor* *r*um*nts to t** R*Stru*tur**T*xt tr*ns*orm in * Pyt*on s*ript.

Reasoning

T** vuln*r**ility st*ms *rom Plon*'s R*Stru*tur**T*xt tr*ns*orm*tion utility improp*rly **n*lin* us*r-*ontroll** k*ywor* *r*um*nts. T** tr*ns*orm p*ss*s t**s* *r*um*nts *ir**tly to `*o*utils' pu*lis*_p*rts` *un*tion, w*i** supports p*r*m*t*rs t**t *o