CVE-2021-33509: Incorrect Permission Assignment for Critical Resource in Plone
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75795%
CWE
Published
6/15/2021
Updated
10/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Plone | pip | < 5.2.5 | 5.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Plone's ReStructuredText transformation utility improperly handling user-controlled keyword arguments. The transform passes these arguments directly to docutils' publish_parts
function, which supports parameters that control file output locations. Authenticated managers could craft arguments like 'output' to write arbitrary files. The hotfix addressed this by restricting allowed parameters. The convert
method in the restructuredtext
transform is the entry point for this processing, making it the clear vulnerable function.