CVE-2021-21336: Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
(updated )
What kind of vulnerability is it? Who is impacted?
Information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin.
References
- github.com/advisories/GHSA-p75f-g7gx-2r7p
- github.com/pypa/advisory-database/tree/main/vulns/products-pluggableauthservice/PYSEC-2021-44.yaml
- github.com/zopefoundation/Products.PluggableAuthService
- github.com/zopefoundation/Products.PluggableAuthService/commit/2dad81128250cb2e5d950cddc9d3c0314a80b4bb
- github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p
- nvd.nist.gov/vuln/detail/CVE-2021-21336
- pypi.org/project/Products.PluggableAuthService
Detect and mitigate CVE-2021-21336 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →