CVE Vulnerability

CVE-2021-21360

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://pypi.org/project/Products.GenericSetup/ Product Third Party Advisory
https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw Third Party Advisory
https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57 Patch Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/21/1 Mailing List
http://www.openwall.com/lists/oss-security/2021/05/22/1 Mailing List
Configurations

Configuration 1

cpe:2.3:a:zope:products.genericsetup:*:*:*:*:*:*:*:*
Information

Published : 2021-03-09 01:15

Updated : 2022-01-01 06:02

NVD link : CVE-2021-21360

Mitre link : CVE-2021-21360

Products Affected
No products.
CWE
CWE-200