Опубликовано: 17 мая 2022
Источник: github
Github: Прошло ревью
CVSS4: 6.3
CVSS3: 4.8
Описание
Plone is vulnerable to Information Exposure when generating zip archives
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-4191
- https://bugzilla.redhat.com/show_bug.cgi?id=978453
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-55.yaml
- http://plone.org/products/plone-hotfix/releases/20130618
- http://plone.org/products/plone/security/advisories/20130618-announcement
- http://seclists.org/oss-sec/2013/q3/261
Пакеты
Наименование
Plone
pip
Затронутые версииВерсия исправления
>= 2.1, <= 4.1
4.1.1
Наименование
Plone
pip
Затронутые версииВерсия исправления
>= 4.2, < 4.2.6
4.2.6
Наименование
Plone
pip
Затронутые версииВерсия исправления
>= 4.3, < 4.3.2
4.3.2
Связанные уязвимости
nvd
почти 12 лет назад
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.