CVE-2021-21360

Exposure of Sensitive Information to an Unauthorized Actor in Products.GenericSetup

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.

Products.GenericSetup es un mini framework para expresar el estado configurado de un sitio Zope como un conjunto de artefactos del sistema de archivos. En Products.GenericSetup anterior a versión 2.1.1, se presenta una vulnerabilidad de divulgación de información: los visitantes anónimos pueden visualizar archivos de registro e instantáneas generadas por la Generic Setup Tool. El problema se ha corregido en la versión 2.1.1. Dependiendo de cómo haya instalado Products.GenericSetup, debe cambiar el pin de la versión de compilación a 2.1.1 y volver a ejecutar la compilación, o si usó pip simplemente haga la instalación de pip "Products.GenericSetup versiones posteriores o iguales a 2.1.1"`

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-03-09 CVE Published
2023-11-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List
http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List
https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw	Third Party Advisory
https://pypi.org/project/Products.GenericSetup	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57	2022-01-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zope Search vendor "Zope"		Products.genericsetup Search vendor "Zope" for product "Products.genericsetup"				< 2.1.1 Search vendor "Zope" for product "Products.genericsetup" and version " < 2.1.1"		-		Affected