GHSA-x7wf-5mjc-6x76

Source

https://github.com/advisories/GHSA-x7wf-5mjc-6x76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-x7wf-5mjc-6x76/GHSA-x7wf-5mjc-6x76.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x7wf-5mjc-6x76

Aliases

Published

2021-04-07T21:13:44Z

Modified

2024-10-16T03:09:11.622357Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SSRF attacks via tracebacks in Plone

Details

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).

Database specific

{
    "github_reviewed_at": "2021-04-07T19:31:51Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": "2020-12-30T19:15:00Z"
}

References

Affected packages

PyPI / plone

Package

Name: plone; View open source insights on deps.dev
Purl: pkg:pypi/plone

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.3

Affected versions

3.*

3.2a1

3.2rc1

3.2

3.2.1

3.2.2

3.2.3

3.3b1

3.3rc1

3.3rc2

3.3rc3

3.3rc4

3.3rc5

3.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

4.*

4.0a1

4.0a2

4.0a3

4.0a4

4.0a5

4.0b1

4.0b2

4.0b3

4.0b4

4.0b5

4.0rc1

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.1a1

4.1a2

4.1a3

4.1b1

4.1b2

4.1rc2

4.1rc3

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.2a1

4.2a2

4.2b1

4.2b2

4.2rc1

4.2rc2

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3a1

4.3a2

4.3b1

4.3b2

4.3rc1

4.3

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.3.12

4.3.13

4.3.14

4.3.15

4.3.16

4.3.17

4.3.18

4.3.19

4.3.20

5.*

5.0a1

5.0a2

5.0a3

5.0b1

5.0b2

5.0b3

5.0b4

5.0rc1

5.0rc2

5.0rc3

5.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.1a1

5.1a2

5.1b1

5.1b2

5.1b3

5.1b4

5.1rc1

5.1rc2

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.2a1

5.2a2

5.2b1

5.2rc1

5.2rc2

5.2rc3

5.2rc4

5.2rc5

5.2.0

5.2.1

5.2.2

PyPI / plone-app-event

Package

Name: plone-app-event; View open source insights on deps.dev
Purl: pkg:pypi/plone-app-event

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.10

Affected versions

1.*

1.0a1

1.0a2

1.0b1

1.0b2

1.0b3

1.0b4

1.0b5

1.0b6

1.0b7

1.0b8

1.0rc1

1.0rc2

1.0rc3

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.a1

1.1b1

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.10

1.1.11

1.1.12

1.1.13

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

2.*

2.0a1

2.0a2

2.0a3

2.0a4

2.0a5

2.0a6

2.0a7

2.0a8

2.0a9

2.0a10

2.0a11

2.0a12

2.0a13

2.0b1

2.0b2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

3.*

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1

3.1.1

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

PyPI / plone-app-theming

Package

Name: plone-app-theming; View open source insights on deps.dev
Purl: pkg:pypi/plone-app-theming

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.6

Affected versions

1.*

1.0b1

1.0b2

1.0b3

1.0b4

1.0b5

1.0b6

1.0b7

1.0b8

1.0b9

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1a1

1.1a2

1.1b1

1.1b2

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

3.*

3.0.0

3.0.1

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

PyPI / plone-app-dexterity

Package

Name: plone-app-dexterity; View open source insights on deps.dev
Purl: pkg:pypi/plone-app-dexterity

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.8

Affected versions

1.*

1.0a1

1.0a2

1.0a3

1.0a4

1.0a5

1.0a6

1.0a7

1.0b1

1.0b2

1.0b3

1.0b4

1.0rc1

1.0

1.0.1

1.0.2

1.0.3

1.1

1.2

1.2.1

1.2.2

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.20

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

PyPI / plone-supermodel

Package

Name: plone-supermodel; View open source insights on deps.dev
Purl: pkg:pypi/plone-supermodel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.3

Affected versions

1.*

1.0b1

1.0b2

1.0b3

1.0b4

1.0b5

1.0b6

1.0b7

1.0b8

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.5.0

1.6.0

1.6.1

1.6.2