Server Side Request Forgery via event ical URL

Versions affected

5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.1rc2
5.1rc1
5.1b4
5.1b3
5.1b2
5.1a2
5.1a1
5.1.7
5.1.6
5.1.5
5.1.4
5.1.2
5.1.1
5.1
5.0rc3
5.0rc2
5.0rc1
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.10
5.0.1
5.0

Vulnerability

By using a file URL in the form for importing a calendar, you could trick Plone to try to load a file from the server. Mostly likely this would fail, because the most files do not have the ical format. But someone with the Manager role would see an error with the contents of one line of the file.

Current status

Partially fixed in plone.app.event 3.2.10 after the first report by MisakiKata, but recently David Miller showed that our fix was incomplete. The hotfix contains a complete fix.

Credits

Discovered by

MisakiKata
David Miller

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2021-33510

Type

Server Side Request Forgery

Severity

3.5 – low
Vector	Network
Complexity	Medium
Authentication	Single
Confidentiality	Partial
Integrity	None
Availability	None

Timeline

Vulnerability reported: 2020-11-10
Hotfix released: 2021-05-18