製品・ソフトウェアに関する情報

JVN脆弱性詳細

Products.GenericSetup における情報漏えいに関する脆弱性

Title	Products.GenericSetup における情報漏えいに関する脆弱性
Summary	Products.GenericSetup には、情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 2, 2021, midnight
Registration Date	Nov. 18, 2021, 5:49 p.m.
Last Update	Nov. 18, 2021, 5:49 p.m.

Affected System

Zope Foundation

Products.GenericSetup 2.1.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21360	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21360
National Vulnerability Database (NVD)
2	CVE-2021-21360	https://nvd.nist.gov/vuln/detail/CVE-2021-21360

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
GitHub
1	Enforce access control on snapshot files and folders.	https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57
Python Package Index (PyPI)
2	Products.GenericSetup 2.1.4	https://pypi.org/project/Products.GenericSetup/

その他

No	Name	URL
関連文書
1	Plone security hotfix 20210518	http://www.openwall.com/lists/oss-security/2021/05/21/1
2	Re: Plone security hotfix 20210518	http://www.openwall.com/lists/oss-security/2021/05/22/1

Change Log

No	Changed Details	Date of change
1	[2021年11月18日] 掲載	Nov. 18, 2021, 5:49 p.m.

NVD Vulnerability Information

CVE-2021-21360

Summary	Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.
Publication Date	March 9, 2021, 10:15 a.m.
Registration Date	March 9, 2021, 4:01 p.m.
Last Update	Nov. 21, 2024, 2:48 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:zope:products.genericsetup::::::::					2.1.1

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List
2	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List
3	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List
4	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List
5	https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57	Patch Third Party Advisory
6	https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57	Patch Third Party Advisory
7	https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw	Third Party Advisory
8	https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw	Third Party Advisory
9	https://pypi.org/project/Products.GenericSetup/	Product Third Party Advisory
10	https://pypi.org/project/Products.GenericSetup/	Product Third Party Advisory

Common Vulnerabilities List