Remote Code Execution via traversal in expressions part 2
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
This is an extension of the other traversal expressions vulnerability reported for this hotfix. The new one was found only after the hotfix was released.
The original vulnerability was for untrusted modules that were available even though they were not meant to, being imported by a trusted module using an alias starting with underscore to mark them private. The new vulnerability is that untrusted modules may still be available when being imported by trusted modules using their original name.
By default, you need to have the Manager role to exploit this.
This vulnerability was first fixed in version 1.4 of the hotfix.
Current status
Hotfixed. Fix released in Zope 4.6.1 and 5.2.1.
Credits
Discovered by
- Calum Hutton
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team