PT-2021-14430 · Unknown · Zodb Role Manager+1

Dataflake

·

Published

2021-03-08

·

Updated

2022-06-03

·

CVE-2021-21336

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Products.PluggableAuthService versions prior to 2.6.0
Description The issue is an information disclosure vulnerability where everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0.
Recommendations For versions prior to 2.6.0, change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do pip install "Products.PluggableAuthService>=2.6.0".

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2021-21336
GHSA-P75F-G7GX-2R7P
PYSEC-2021-44

Affected Products

Products.Pluggableauthservice
Zodb Role Manager