Login Sign Up

CVE-2021-33509

9.9 CRITICAL

📋 TL;DR

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O operations via crafted keyword arguments to the ReStructuredText transform in Python scripts. Attackers can write arbitrary files to the server filesystem, potentially leading to remote code execution. Only authenticated users with manager privileges are affected.

💻 Affected Systems

Products:
  • Plone
Versions: Through 5.2.4
Operating Systems: All platforms running Plone
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated manager access; default Plone installations with manager accounts are vulnerable.

📦 What is this software?

Plone by Plone

View all CVEs affecting Plone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file writes allowing privilege escalation, backdoor installation, or data manipulation.

🟢

If Mitigated

Limited impact if proper access controls restrict manager accounts and file system permissions are hardened.

🌐 Internet-Facing: HIGH - Internet-facing Plone instances with manager accounts are directly exploitable.
🏢 Internal Only: MEDIUM - Internal instances still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires manager credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hotfix 20210518 or later

Vendor Advisory: https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script

Restart Required: Yes

Instructions:

1. Download hotfix from Plone security advisory. 2. Apply hotfix to Plone instance. 3. Restart Plone service. 4. Verify fix is applied.

🔧 Temporary Workarounds

Restrict Manager Access

all

Temporarily remove or disable manager accounts until patching is complete.

Disable ReStructuredText Transform

all

Remove or restrict access to ReStructuredText transform functionality.

🧯 If You Can't Patch

  • Implement strict access controls to limit manager account usage
  • Monitor file system writes and audit manager account activities

🔍 How to Verify

Check if Vulnerable:

Check Plone version; if version is 5.2.4 or earlier, system is vulnerable.

Check Version:

Check Plone control panel or site setup for version information

Verify Fix Applied:

Verify hotfix 20210518 is installed and Plone version shows as patched.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations by manager accounts
  • ReStructuredText transform usage with suspicious parameters

Network Indicators:

  • HTTP requests to Python script endpoints with crafted parameters

SIEM Query:

source="plone_logs" AND (event="file_write" OR event="rest_transform") AND user_role="manager"

📊 Metadata

CVE ID: CVE-2021-33509
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-732
Published: May 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33509, you might also want to check these:

CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)
CVE-2025-0066 9.9

This critical vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform's Internet Communication ...

Same vulnerability type (CWE-732)