Privilege escalation when plone.restapi is installed

Versions affected

5.2.1
5.2.0

Vulnerability

Sites using plone.restapi allow for users with a certain privilege level to escalate their privileges up to the highest level. A site is only vulnerable when plone.restapi is installed in the add-ons (modules) control panel. plone.restapi is included since Plone version 5.2, but not installed by default.

Current status

Patched

Credits

Discovered by

Lukas Graf
Niklaus Johner

Fixed by

Lukas Graf
Niklaus Johner

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2020-7938

Type

Privilege escalation

Severity

8.5 – high
Vector	Network
Complexity	Medium
Authentication	Single
Confidentiality	Complete
Integrity	Complete
Availability	Complete

Timeline

Vulnerability reported: 2019-12-12
Hotfix released: 2020-01-21