Headline
CVE-2021-33926: Subodh/Plone 5.2.4 Vulnerable to bilend SSRF.pdf at master · s-kustm/Subodh
An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet.
Vulnerability By adding an RSS feed portlet in their dashboard, a normal member could try loading the RSS feed of an internal service that is otherwise unreachable for this member.
Current status as of 20 May, 2020 Hotfixed. Note: the only fix we do, is that we only allow HTTP and HTTPS access, so you cannot use the file protocol or any other protocol. The more general case of accessing internal servers here and in other parts of the Plone code, cannot truly be fixed without major code changes or breaking valid use cases. For example, on an Intranet, you may want to show the RSS feed of an internal log server.