CVE-2021-21360

Name of the Vulnerable Software and Affected Versions Products.GenericSetup versions prior to 2.1.1

Description The issue is an information disclosure vulnerability where anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. This problem has been fixed in version 2.1.1.

Recommendations For versions prior to 2.1.1, change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip, simply do pip install "Products.GenericSetup>=2.1.1". As a temporary workaround, visit the ZMI Security tab at portal setup/manage access and click on the link Access contents information. On the next page, uncheck the box Also use roles acquired from folders containing this objects at the bottom and check the boxes for Manager and Owner. Then click on Save Changes. Return to the ZMI Security tab at portal setup/manage access and scroll down to the link View. Click on View, uncheck the box Also use roles acquired from folders containing this objects at the bottom and check the boxes for Manager and Owner. Then click on Save Changes.