CVE-2021-21360 — MEDIUM (5.3)

Q: How severe is CVE-2021-21360?

CVE-2021-21360 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21360?

Check the references section above for vendor advisories and patch information. Affected products include: Zope Products.Genericsetup.

Vulnerability Description

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Zope	Products.Genericsetup	< 2.1.1

Related Weaknesses (CWE)

CWE-200

References

http://www.openwall.com/lists/oss-security/2021/05/21/1Mailing List
http://www.openwall.com/lists/oss-security/2021/05/22/1Mailing List
https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b38PatchThird Party Advisory
https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSAThird Party Advisory
https://pypi.org/project/Products.GenericSetup/ProductThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/21/1Mailing List
http://www.openwall.com/lists/oss-security/2021/05/22/1Mailing List
https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b38PatchThird Party Advisory
https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSAThird Party Advisory
https://pypi.org/project/Products.GenericSetup/ProductThird Party Advisory

FAQ

What is CVE-2021-21360?

CVE-2021-21360 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information dis...

How severe is CVE-2021-21360?

CVE-2021-21360 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21360?

Check the references section above for vendor advisories and patch information. Affected products include: Zope Products.Genericsetup.