CVE-2021-21337 - OpenCVE

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zope	Products.pluggableauthservice

Configuration 1 [-]

cpe:2.3:a:zope:products.pluggableauthservice:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html
https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa
https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr
https://pypi.org/project/Products.PluggableAuthService/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-08T21:10:20

Updated: 2024-08-03T18:09:15.746Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21337

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-08T21:15:16.807

Modified: 2022-01-01T18:02:30.367

Link: CVE-2021-21337

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Products.PluggableAuthService", "vendor": "zopefoundation", "versions": [{"status": "affected", "version": "< 2.6.1"}]}], "descriptions": [{"lang": "en", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\"."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-02T15:06:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/Products.PluggableAuthService/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html"}], "source": {"advisory": "GHSA-p44j-xrqg-4xrr", "discovery": "UNKNOWN"}, "title": "URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21337", "STATE": "PUBLIC", "TITLE": "URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Products.PluggableAuthService", "version": {"version_data": [{"version_value": "< 2.6.1"}]}}]}, "vendor_name": "zopefoundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\"."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://pypi.org/project/Products.PluggableAuthService/", "refsource": "MISC", "url": "https://pypi.org/project/Products.PluggableAuthService/"}, {"name": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr", "refsource": "CONFIRM", "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"}, {"name": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa", "refsource": "MISC", "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa"}, {"name": "http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html"}]}, "source": {"advisory": "GHSA-p44j-xrqg-4xrr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.746Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/Products.PluggableAuthService/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21337", "datePublished": "2021-03-08T21:10:20", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.746Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zope:products.pluggableauthservice:*:*:*:*:*:*:*:*", "matchCriteriaId": "660F14A0-3EF8-4F9A-86F9-6A97D527E35A", "versionEndExcluding": "2.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\"."}, {"lang": "es", "value": "Products.PluggableAuthService es un framework de autenticaci\u00f3n y autorizaci\u00f3n de Zope conectable. En Products.PluggableAuthService versiones anteriores a 2.6.0, se presenta una vulnerabilidad de redireccionamiento abierto. Un enlace maliciosamente dise\u00f1ado en el formulario de inicio de sesi\u00f3n y la funcionalidad login podr\u00eda redireccionar el navegador a un sitio web diferente. El problema ha sido corregido en la versi\u00f3n 2.6.1. Dependiendo de c\u00f3mo haya instalado Products.PluggableAuthService, debe cambiar el pin de la versi\u00f3n de compilaci\u00f3n a \"2.6.1\" y volver a ejecutar la compilaci\u00f3n, o si us\u00f3 pip simplemente haga la instalaci\u00f3n de pip \"Products.PluggableAuthService versiones posteriores o iguales a 2.6.1\""}], "id": "CVE-2021-21337", "lastModified": "2022-01-01T18:02:30.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-08T21:15:16.807", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/Products.PluggableAuthService/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}