Filesystem information leak

A vulnerability that allows remote attackers to obtain information on files on the server

Versions affected

5.1a1
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.1
5.0
5.0rc3
5.0rc2
5.0rc1
4.3.11
4.3.10
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2

Vulnerability

By using relative paths and guessing locations on a server Plone is installed on, an attacker can read data from a target server that the process running plone has permission to read. The attacker needs administrator privileges on the Plone site to perform this attack.

Current status

Patched

Credits

Discovered by

Sebastian Perez

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2016-7135

Type

Information leak

Severity

6.1 – medium
Vector	Network
Complexity	Low
Authentication	Multiple
Confidentiality	Complete
Integrity	None
Availability	None

Timeline

Vulnerability reported: 2016-07-18
Hotfix released: 2016-08-30