CVE-2021-33509

Vulnerability

The vulnerability exists in Plone CMS through version 5.2.4 (and all earlier 5.x versions, as well as 4.3.20 and earlier 4.3.x versions) [3]. It allows remote authenticated managers to craft keyword arguments in a Python script that uses the ReStructuredText transform, leading to disk I/O operations such as arbitrary file read or write [1][4]. The affected component is the ReStructuredText transform, which can be invoked with malicious parameters.

Exploitation

An attacker must have a valid manager account in a Plone site. No additional privileges are required beyond manager-level authentication [1]. The attacker crafts a Python script that calls the ReStructuredText transform with specially crafted keyword arguments that include file paths or content. The script can be executed via the web interface. The attacker does not need any special network position besides being able to access the Plone instance as a manager.

Impact

Successful exploitation allows an authenticated manager to read or write arbitrary files on the server filesystem [1][4]. This can lead to disclosure of sensitive information (e.g., configuration files, passwords) or modification of critical system files, potentially leading to full compromise of the Plone server. The impact is high as it allows disk I/O beyond normal web application boundaries.

Mitigation

Plone released a security hotfix on May 18, 2021, which addresses this vulnerability [3]. Administrators should apply the hotfix immediately on all affected versions (Plone 4.3.20 and earlier, Plone 5.2.4 and earlier). There is no workaround if the hotfix cannot be applied; upgrading to a patched version is the recommended mitigation. As of the advisory, no CVE assignment was available at the time of hotfix release, but CVE-2021-33509 was later assigned [4]. The hotfix is available from the Plone security page [1][3].